if a developer is pulling in unchecked and untested third-party packages, and including them in a 'product' that is shipped to their customers, then that developer should face the full force of any legal penalties incurred by their customers due to the developer's incompetence.
If an aircraft manufacturer bought components from a supplier, and just installed them without consistently checking they they met the safety specs, would they get away with saying "not my fault, blame my supplier"?
It isn't 'agile', it's 'lazy'.
Biting the hand that feeds IT
