In the last year, we have seen at least two important supply-chain attacks, on Solarwind and Codecov products, and a new technique, named Dependency Confusion, to hack software dependencies. Protecting software from supply-chain attacks has become a priority both for companies and open-source projects. So, how can developers and engineers evaluate the security health of an open-source project? The answer is evaluating the right metrics for every dependency.