Application developers are being warned — again — that code packages available from open code repositories carry risks of infection they have to be prepared for before downloading.