It's been a bad week: Monday, the legal department requested to completely disclose and publish our code - an open source license dependency forces us to do so. On Wednesday, a new release had to be rolled back because the third-party author sabotaged his own Javascript module. On Friday, we finally found a security vulnerability in our upstream OpenSource product. Of course, we have excessively customized it - and upgrading is slow and painful now. How could it come so far? And more important: what architecture decisions, patterns and guidance would have avoided that?