Comment by catlifeonmars

I don’t use stars to select dependencies FWIW. I look for age, CVEs and what other reputable projects depend on a repo. Also try to look for other signals, like if claims in the readme don’t match the implementation, or if there’s poor hygiene in the CI workflows. (And yes, I have gotten burned by an otherwise well meaning project with a supply chain vuln). As the saying goes “a little copying is better than a little dependency” (see: https://www.youtube.com/watch?v=PAAkCSZUG1c&t=9m28s).