The short-term moral of the story is to treat external FOSS dependencies like internal dependencies - fetch a certain state of the dependency and fork it into your internal repository. We do this a lot here with FOSS dependencies that do not appear to be properly maintained. And a one-person-project is never properly maintained.

Bad thing is we do not catch transient dependencies with this not-properly-maintained property that way.

The incident stresses the importance to look at and verify the state of each external dependency you use in your software, including transient dependencies.