Supply chain attack, security training and dependencies

We all heard that so many times, and still ignored by so many people

Watching a open source software that I beloved is treating dependencies upgrades like s***, maybe they never getting severe security vulnerability during their life even they reach 100k stars, the more I more getting familiar of the maintainers, the more I worried about, and seems no one can charging this, just like laws, they'll only change when death happened.