Are Rust's package manager (Cargo) and Go's go get secure? I heard that npm used to not check anything.
Common Lisp
Scheme
There is the GNU Guix package manager (that can be used on other distros).
I think the best way to avoid these attacks is to use version pinning for all dependencies.
This.
You should (be able to) pin all dependencies to a particular version/commit. And all packages should be signed.