A pattern that's gotten worse in the last year or so: drive-by PRs from third-party "security scanners" trying to plant their badge in your README. Got one last week — single-line diff adding a markdown image link back to their scanning service, with a body formatted as a "94/100 Verified Safe" audit report. The "high severity finding" they flagged turned out to be the section of our README explaining how we defend against prompt injection. They were scoring legitimate documentation as a vulnerability so the report would look thorough.
The economics make sense if you squint: each accepted PR is a permanent backlink on a real OSS repo, and most maintainers don't have time to review carefully. Close one, see five more.
Combined with the Dependabot avalanche (a small repo I check in on has 15+ open dep bumps, half with stale merge conflicts because they touch the same workflow file), the modern maintainer tax isn't writing code — it's triaging bots and growth-hackers who treat your contribution policy as an SEO funnel.
Zero-dep philosophy doesn't fully escape this; the PRs come for your README badges and your transitive scanners regardless.
This is basically a problem with Open Source hosted at Github, right? Because Github doesn't allow you to turn off PRs for people outside your organization.
Since Github has been asked to change this policy since time immemorial and has not responded, another possible response is to host your project somewhere else that doesn't have the same policy and/or doesn't have the same volume of spammers. Of course that means that you don't get the benefits of hosting at Github, but the cost/benefit ratio of hosting there has changed over time.