I have seen small utility libraries like tj-actions get compromised because there aren't any security specialists looking at the library.

My main concern is supply chain compromise.

▲

ImPostingOnHN 2 hours ago | parent [-]

Unless you're talking about a different event, tj-actions wasn't "compromised because there aren't any security specialists looking at the library". Instead, an API key was used, maybe by the author, maybe by someone else, to replace good code with bad code, including modifying historical release tags to point to the bad code.

That said, everything in my previous post still applies: a nonzero buglist is totally normal and widely accepted.

	▲	securesaml 2 hours ago \| parent [-]
		I'm not too sure about the root cause about tj-actions. IIRC there are some libraries that compromised by actions injections vulnerabilities, where a security specialist could have helped.