>Open source offers some protection
Interesting point. At the developer end, open source is both a blessing and a curse. To name no names, I was looking at a Python GUI IDE some years back. One of the most promising ones was open source and it promised to do a lot of things. Looked great, lots of recommendations. This was back in the days when Python GUI tools were a dime a dozen and there was the sense that more choice was always good (thankfully the community has since realized that too much choice can be toxic to newcomers and veterans alike and the Python web app server space is way more focused these days than IDEs ever were).
Look under the covers though and you could see that a) it seemed to be a solo dev job, b) lots and lots of features and c) many features did not in fact work very well. They worked for basic use cases, but step outside and things would fall apart. Quickly.
Shiny? Yes. Robust. No.
10 years ago I decided I'd be much better off not touching that thing, free or not. But over the years, I've seen ongoing recommendations for it, even as no new release ever came out. Seems truly dead now, but still downloadable. Wonder how many people utterly wasted their time and money hitching their work onto that horse.
Another Python offering, this time an alternative to Django, also had that smell when you looked under its skirts. Whole branches of code not implemented, things that didn't work, over-promised feature set.
Open source is great, yes. But some offerings can be ephemeral in nature and it behooves you to have your eyes wide open while picking components and evaluate your exposure. Leftpad style Javascript micro-module dependency are no big deal, they can be swapped out in a jiffy. Frameworks that your code is totally coupled to? Not so much.
For example, if I needed to use one, I'd be especially leery of the coming shakedown between the various JS frameworks a la Ember/ReactJS/Angular. There's a new one every week and not all of those will retain mindset.