> you're always a silent update away from it all being dumped on the internet.
This is true of all password managers that have any ability to connect to the internet. You’re one silent update away from your manager suddenly uploading all your passwords to a random endpoint in Russia.
Theoretically, if you audit the source then you only really need to care about updates to the actual code. If it doesn't do silent updates then it can't change underneath you, even if it does some kind of network operations.
Its not fool proof, but it feels better than a black box that could be a different black box tomorrow or after the next acquisition or round of investment.
This is true of all password managers that have any ability to connect to the internet. You’re one silent update away from your manager suddenly uploading all your passwords to a random endpoint in Russia.