Is your feature request related to a problem? Please describe.
The playbook lacks guidance on how to evaluate an open source dependency that is being taken.

Describe the solution you'd like
What tools can developers use to evaluate OSS. what are potential decision drivers, what are some common things to look for.

Additional context
Based on a recent engagement where the crew was unsure if to take a dependency on OSS package given the rise in OSS supply chain attacks.