Thanks for the thoughtful blog @Di4na (and @kushal). I think there's more to say about quality in OSS.

For sure, licenses say "AS IS", although that doesn't automatically imply the code has been thrown open without some thought to its downstream use. Some projects scrutinise the chain of dependencies and have mature communications channels about security vulnerabilities. And I wonder if this is associated with size, funding or governance structure of the open source project?