Glad you like it!

Yeah, ensuring malicious people don't replace the lightning addresses of the component maintainers is critical. The same thing goes for not having dependencies which are clones of the actual library, just with added malware.

Payments per component would further incentivize devs to fork their dependencies as soon as they run into trouble with them. And then keep the forks alive, to have their own payment address set.

Guess that leads us further towards some kind of reputation-based system like what you suggest.