@Josh @cy @GossiTheDog And I'm not saying you aren't responsible for what you ship, or that performing due-diligence on your dependency tree isn't a reasonable standard, just that it's an unfunded mandate in most cases that isn't going to actually happen reliably/commonly/unexpectedly absent some government regulation or software engineering licensure to fundamentally change the culture and incentives for software development.