![](https://lemmy.ml/pictrs/image/587e6d09-3277-403c-8d22-bd62d759dfd7.jpeg)
![](https://programming.dev/pictrs/image/8140dda6-9512-4297-ac17-d303638c90a6.png)
First off, good on you for being careful. Ultimately, use the same methods that you would use when vetting other sources, like academic or personnel for hiring.
Check reputation via stars, active contributors, see what accounts are contributing and what other projects they also contribute to. Check their LinkedIn profile and personal websites.
See if you can confirm the project is being used safely by reputable groups. See if people, especially public people you trust are using/recommending it without being sponsored.
Check in private forums with other devs and users, see what people are saying. Check the code yourself, etc.
Ultimately, there’s no way to know 100%, even large companies and organizations have been duped in the past by backdoors or security bugs in OSS they use. You can be very confident however, it’s all about how much investigation you are interested in doing.
And of course, don’t ever put all your eggs in one basket.
And if after lots of investigation, you still have a bad feeling in your gut, listen to that. Better to be a little too careful than to compromise yourself by ignoring that gut feeling that something just doesn’t pass the smell test.
IT workers desperately need to unionize. There is so much bullshit that happens, folks are expected to do three different roles at once, have multiple technical stacks they are experts in, and work extra hours + be on call after hours or on weekends.