Trust of a project long term always was and continues to be of concern when choosing a critical dependency .

The concern basically boils down to how large and serious is the team and what if they abandon the project in few weeks or months .

These were always the risks, many here have been burned by betting years of their career building against promising but what turned out to be weak projects

OP is alluding to the fact that today commit frequency, lines of code or how active the contributors in the issue trackers are no longer good signals to use as proxy.

When the underlying project to yours is few million lines of code written by machines only it is not going to be feasible fork and maintain or in-house it if the maintainers abandon it

To be clear users of a library or a tool aren’t owed anything when it available gratis and fully open source .

However not everyone has access to unlimited tokens to disregard the quality (in terms of history and usage ) or size of the underlying project completely

I have used AI agents extensively for coding and my experience is that it's fine for prototypes, but in large projects like this there is risk that the codebase becomes unmaintainable.

Not at all, I can assert that the Spring code on my current project is classical programming.

In many places AI tools aren't even allowed to touch customer repos.