I think it just depends on whether or not you interpret the phrase "no one knows" neutrally or pessimistically.

Saying that there could be something there, but "no one knows" doesn't mean that there is something there. But it's still true.

▲

woodruffw 5 hours ago | parent [-]

If that's the case, it would be a lot simpler (and equally accurate) to say that "no one knows" what the source repo is doing, either! The median consumer of packages in any packaging ecosystem is absolutely not reading the entire source code of their dependencies, in either the ground truth or index form.

	▲	dralley 5 hours ago \| parent [-]
		That's certainly true - and would also be true (maybe even moreso) if vendoring dependencies was widespread. Seems just as easy to hide things in a "vendored" directory that's 20x the size of the library.