Isn't this how log4j happened? No one cared enough about checking dependencies. Anyway interesting post aligns up with what I have been exposed as well, it sucks that people don't take cybersecurity more seriously earlier in the project phase.