The conflict between the US and the rest of the world might be the death of open source. Most GitHub handles and whatnot are anonymous. A competent malicious actor would not directly link themselves to Yandex or any other suspect entity. Perhaps they'll want us to provide ID just to publish source code like Android is making app developers do? This would not be unprecedented. China already requires you to register to publish a website.

Propper management of dependencies would help too

Too much promiscuous software out there.

Looking at you, Rust. My true love and next to Node.js the worst offender I know of