Does this mean it is bad or simply popular? Unpopular/untested libraries rarely have previously found XSS vulnerabilities for example.