Add recommendations on relying on "small" open-source libraries

As discussed with Michael at https://gitlab.cern.ch/ospo/requests/-/issues/36, we should add a recommendation on how to deal with dependencies on "small" open-source projects.

Input from the Security Team:

[...] get it packaged [...] would probably be the best option here, since it would remove any special maintenance need on your side. That said, you can subscribe to release and/or security alerts for a repo on GitHub, so that would already help you get notified about such updates..

We could also add something about evaluating how to get involved etc.