Indeed. I’m the project creator. That’s standard legal notice we must add to these kind of “large” repos. If not a dev team should maintain it full time with security incidents response managed within a SLA, which is not the case there. The same project is working in production for a few customers.