Some enterprises, in the wake of #xz, are focusing on their metrics for #opensource dependencies they ingest..... rather than investing money, developer time, or other resources* to directly support maintainers.
But as I mentioned to a friend recently:
If downstreams do not provide at least as much support as a motivated attacker would, we're likely to continue to get these kinds of outcomes - & to be deceived, as attackers shape their efforts to trick the metrics.
As I said, I still do #opensource but care a lot less... the last straw was when I got a literal #deaththreat from someone because I hadn't worked on a #project in a while. (due to personal circumstances)
I dropped that project like a brick, locked everything down and went underground for 2-3 years. Not because I was afraid but rather fed up. Not the best approach but still.