The broken part is dependency management. People will install anything as a dependency, and just because the code functionally works today they often assume that they can expect maintenance, support, and security into the future.
One of the biggest myths of "open source" is that it can replace commercial software in every way, but for free. It simply doesn't. Code is code, but nobody buys just code. They buy trust, support, a warranty, expertise, and a contract to back it up in court. You get none of this when your engineers `npm install who-knows-where-this-code-comes-from`
Engineers are kicking the can down the road, and I don't think management in most places truly understand the extent of the code their companies are running for which:
* they employ nobody who is familiar with it
* they have no vendors on call who are familiar with it
* they have no idea who is committing to it
* if anything goes wrong, there is nobody to help them
One of the biggest myths of "open source" is that it can replace commercial software in every way, but for free. It simply doesn't. Code is code, but nobody buys just code. They buy trust, support, a warranty, expertise, and a contract to back it up in court. You get none of this when your engineers `npm install who-knows-where-this-code-comes-from`
Engineers are kicking the can down the road, and I don't think management in most places truly understand the extent of the code their companies are running for which:
* they employ nobody who is familiar with it
* they have no vendors on call who are familiar with it
* they have no idea who is committing to it
* if anything goes wrong, there is nobody to help them