Open source projects build on the capabilities of other open source projects. WordPress, for example, depends on Linux, Apache, MySQL, and PHP, among many others — all open source projects that WordPress uses to provide functionality that would otherwise have to be re-created from scratch. The web wouldn’t be what it is today without the ability to reuse code in this way.
The truth is that they don’t know. They trust the system to find and fix vulnerabilities. Outside of strict government and corporate software projects, no one has the time or the money to check the security status of every library used by their software.
GitHub’s Security Alerts are an attempt to address this problem automatically. GitHub knows about the dependency graph (the tree of packages a project depends on) and can cross reference that information with vulnerability databases. GitHub’s Security Alerts use the National Vulnerability Database of the National Institute of Standards and Technology.
The feature is turned on by default for public repositories, and will email project administrators when a vulnerability is discovered. It can be turned on by administrators of private repositories if they so desire.