Is anyone aware of any quantitative analysis or research on the security of CRAN or NPM?
e.g. How much malware is hosted, rate of compromise, speed to close, number of attack vectors, CERT reports etc etc.
I'm trying to get a sense of the level of risk of compromised libs and dependencies in any of the major open source repos.
While papers like this are useful (though dated)
http://dodcio.defense.gov/Portals/0/Documents/OSSFAQ/dodfoss_pdf.pdf
I'm interested specifically in repositories rather than FOSS in general.