Yep, exactly my point. IF they slip in anything suspicious it is forever logged on github and they would only be doing their brand (further) damage