Not the author, but I wouldn't say it's just (or even primarily) Github's pull requests or "critical security advisory" that's the problem here. PyPI requiring 2FA for maintainers of popular software has had more real-world impact (one maintainer took down and recreated their project, erasing old releases), and Google calling for deanonymizing (doxxing) maintainers of open-source software is more terrifying.
I'd argue that the problem isn't that "software supply chains do not exist", but "you using a program or library without pay does not and should not mean the software's author is now responsible for fulfilling your use cases and paperwork requirements".
I'd argue that the problem isn't that "software supply chains do not exist", but "you using a program or library without pay does not and should not mean the software's author is now responsible for fulfilling your use cases and paperwork requirements".