And the reason I'm writing a whole thread about this is that fundamentally, I refuse to treat this as a problem when a lot of discourse around open-source libs very much wants to pretend that it is.
I don't know, man. Some projects just exist to scratch a very particular niche itch and are maintained by people who have plenty of other things going on in their life and... that has to be OK?
Like yes, I agree that it sucks that stb_image has a lot of exploitable bugs that often are around for months or years at a time but at the same time... we're completely transparent about this. Don't put this code in a security-sensitive context, especially if you need timely updates. We realistically can't serve that need and we have never claimed that we could.