The author of this article did not have comments turned on so I will respond here. The challenge ahead of open source programmers is the same FUD that has always been there. When you incorporate a 3rd party library you have to perform a risk assessment and decide for yourself, employer or client whether the risk is acceptable.
In recent weeks I have started to perform code reviews of the projects I want to integrate with and then I fork their code so that I’m working from my version of the code. This has several side effects.
The first side effect of forking code is that I do not need to follow the main project and review every commit. Therefore it’s unlikely that any malware will enter into my ecosystem.
And secondly. If I make changes to the code I can use them immediately instead of waiting for them to make it into the main project via a pull request.
The only real side effect is that I am now programmer and reviewer/librarian. Which I kinda was anyway.