Contributors is my favorite metric. It shows that there are lots of eyes on the code. Makes it less likely of a single bad actor being able to do bad things.

That said, the supply chain and sometimes packaging is very opaque. So it almost renders all of that moot.