Not fair take, cpuz and hwmonitor are often used on new installations of PCs (or at least for me) to verify hw specs and stuff. Or when I need to do some upgrade work for a desktop computer.

I just go to the trusted site, download what's there and get going. This is not an npm package that a dev is updating on day 0 of its release for being a "human shield", it's literally the first version which comes up when DLing the new software.

Is there a tool out there that you can put software releases into and it will tell you how safe it is? I don't seem to be able to buy anything to do this. Crowdstrike and other modern antivirus may react to it once it's on a device, SAST / SCA tooling will help with CVEs, but there's nothing I can give my users where they can put in some piece of random software and get a reputation metric out the other side, is there?

I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it?

I hope you don't think that waiting a month will protect you. Malicious software can wait to be triggered months or years before anything malicious happens.

Thanks the web that produced css programmers who have been taught latest is greatest and shiny gets money.