That this would even become a thing for established and widely depended on projects shows how broken our model currently is.

In cases like this though, if it involves code from before 2005-2010 the author shouldn't matter since people put very little thought into security back then.