> ...full force of any legal penalties...
Nod, +1.
I got my first security advisory email from GitHub this week due to a "vulnerable dependency in repositories[...]", which was nice to see because it's a reassuring upshot of automation being done on checking this sort of thing.
Unfortunately due to "no server [...] currently available to service your request" I haven't yet read the page with the details, but at least I can see from the email's summary that it's not in any recent personal uploads or even in a repository I've got write access to (plus I can trust others to pay/have paid appropriate attention) and take comfort from that.