@lupyuen
Blind use of dependencies, without awareness of the chain of subsidiary dependencies they introduce, is a big problem in a lot of software. I suspect it affects proprietary software companies more, because they often make use of free code modules under pushover licenses (esp. "BSD" or "MIT"), but without making these dependencies explicit. The geeks working there may know that security auditing free code they use is as much their job as anyone else's, but their managers often don't.