First, everyone uses open source, that is not going to change. The AST toolset is simply not built to address supply chain attacks, so leaving your pre-build process to chance is a disaster waiting to happen. Second, hackers KNOW that tracking open source components and providing provenance/attestations is difficult. It makes typosquatting and other common vectors even more appealing to target. And third, AI will undoubtedly improve the creation of simple apps, but it will also enable smarter hacks.