[its-summertime]

Of course, we are looking through diffs between major versions for all our dependencies, right? And sitting on the relevant mailing lists for dependencies too, right?

Does the code look workable? if you needed to make patches, can you? etc etc.

"Risk" feels like a poor choice of word, considering countries like Australia can force any of their citizens to put a backdoor into any software they have access to. This risk has nothing to do with CN/nonCN lines, but on the laws of each and every country.

And that doesn't stop protest-based updates either from other developers in "safe" countries. Which seems to be way more likely.