I noticed a security issue in this repository: https://github.com/alinemorelli/react-gtm/blob/master/src/Snippets.js#L17
Basically, using HTTP instead of HTTPS to send data to google tag manager.
I haven’t contacter the author, but even if he does fix it, all the people who have installed it already won’t be notified and may not get the security patch.
Therefore, I think it would be fair to mark the repo as having a security issue, I’ve seen this feature but don’t know how to report a reporitory. (I get security issues weekly emails for my repo who are using an old version of EJS which has a security breach, that’s how I know about this feature)