What if the developer isn't around anymore to fix it?
It means you have picked the wrong library since there isn't enough interest in it to sustain it. You should then drop it for a replacement or write your own code. I know, there is plenty of examples of good libraries that are not well funded, so they went unsecure since developers cannot dedicate time to maintain them properly, one recent example comes to mind: OpenSSL and Heartbleed bug. On one side you have all these companies buying expensive Linux distros from respectable vendors with the guarantee if something goes wrong the vendor will fix it and on the other side, the vendor pocket the money and doesn't fund the developers that make him existing in first place or at least the most critical libraries that justify the companies to buy Linux instead of getting it for free and funding directly the projects they believe they critically depend on.