This is how the decentralized world is supposed to act: when someone spots something worrisome in a startup’s open-source code, he or she sounds an alarm—and the company behind the code springs into ...