FWIW there is a repo for R advisories.
https://github.com/RConsortium/r-advisory-database
with a front-end here
https://osv.dev/list?ecosystem=CRAN&q=
At present all of the *reported* vulnerabilities seem to be caused by
problems with underlying/bundled libraries ...
On 2024-04-03 4:37
Uwe,
Whether it takes a lot of effort to get malicious code into a company
depends on the pay-off, which can be large relative to the effort. The
example of the hack before was largely interesting because the priorities
of the package users were fundamentally insecure (higher version number
wins,
