@julijane it’s not so black and white. If you are an unpaid maintainer you have no obligation to put in extra work, for sure. But if you do take down the banking system of a country once (still not your fault!) and people tell you your library is broken… I think you start having a responsibility to either deprecate it, fix it, or at least warn users. We live in a society.
Maybe, as a bank, you should not be using a random library taken from the internet, with a single maintainer and some 100 stars, and make it a critical dependency of your banking operations.
Maybe, as a bank, your IT should write and maintain such a library and open source it.
Maybe, as a bank, you should not continue to use the first library, and do the second thing after the first library was able to take down critical parts of your infra the first time.
Because we live in a society, and as a bank, you should be contributing to it, too.
But then, what do I know.
If you have a fediverse account, you can quote this note from your own instance. Search https://infosec.exchange/users/isotopp/statuses/114725195153401122 on your instance and quote it. (Note that quoting is not supported in Mastodon.)