I’ve worked with .net for 7 years and the “Microsoft” tag can really give you a false sense of security. I worked in the public sector, so we also took these things rather serious.
We’ve had far more security issues with the .net toolset than we have had with Python which is far more open. Most of them have been developer mistakes, because the update process for .Net is far less intuitive than it is for Python. So my developers haven’t always been on point with updates, getting caught in the act when our network team closed old TLS versions or similar.
But the biggest issues have been with libraries abandoned by Microsoft. Like when they wanted to move the world into Azure runbooks and this no longer needed their library for Windows Server Orchestrtion runbooks. Or the half finished libraries like everything involving on prem AD.
By comparison we’ve had absolutely no issues with Python. So I think this is more of a NPM issue than anything.
We’ve had far more security issues with the .net toolset than we have had with Python which is far more open. Most of them have been developer mistakes, because the update process for .Net is far less intuitive than it is for Python. So my developers haven’t always been on point with updates, getting caught in the act when our network team closed old TLS versions or similar.
But the biggest issues have been with libraries abandoned by Microsoft. Like when they wanted to move the world into Azure runbooks and this no longer needed their library for Windows Server Orchestrtion runbooks. Or the half finished libraries like everything involving on prem AD.
By comparison we’ve had absolutely no issues with Python. So I think this is more of a NPM issue than anything.