From the Sourcegragh blog:
Open source code is both treasure chest and Pandora’s Box. Instead of starting from scratch when building an application or program, software developers can draw from third-party libraries and packages to jump-start development. These shortcuts come with risk though, as packages often contain yet more packages within, and these dependencies could harbor malicious code planted by bad actors, or vulnerabilities that leave your code open to exploitation.
It’s easy to blame poorly maintained open source projects and make that random person in Nebraska the scapegoat here, but don’t write off third-party code. The alternative is reinventing the wheel every time and is likely to be frustrating for your engineering teams as they work on solving problems they know someone else has fixed already instead of writing new code. So, how do you balance the velocity unlocked by using third-party libraries with the risk posed by unaudited code? The answer is in your vulnerability management process.