The Cyber Resilience Act (CRA) introduces a subtle but profound shift in how manufacturers must think about open source software. For years, integrating free and open-source software (FOSS) into products largely meant relying on upstream maintainers for fixes, monitoring vulnerabilities, and updating when patches became available. Under the CRA, that passive model no longer holds. In certain situations, a vulnerability