> Open source users like to think that "many eyes" keep the code clean and they probably do help, especially on popular projects where all commits get reviewed in detail, but the chance is still there.

The https://en.wikipedia.org/wiki/XZ_Utils_backdoor bears mentioning here.