If you look at the issue list for any significant open source project, it's probably of nonzero size. That's a way of saying "no": just don't do it.

Maybe you're overloaded, maybe you just don't feel like it. It's totally normal, and different projects have different levels of resources, some with none anymore.

▲

securesaml 3 hours ago | parent [-]

I have seen small utility libraries like tj-actions get compromised because there aren't any security specialists looking at the library.

My main concern is supply chain compromise.

▲

ImPostingOnHN 2 hours ago | parent [-]

Unless you're talking about a different event, tj-actions wasn't "compromised because there aren't any security specialists looking at the library". Instead, an API key was used, maybe by the author, maybe by someone else, to replace good code with bad code, including modifying historical release tags to point to the bad code.

That said, everything in my previous post still applies: a nonzero buglist is totally normal and widely accepted.

	▲	securesaml 2 hours ago \| parent [-]
		I'm not too sure about the root cause about tj-actions. IIRC there are some libraries that compromised by actions injections vulnerabilities, where a security specialist could have helped.