Take, for example, Slim framework. Its website is non secure, TLS not enabled; having in mind the time assigned for transition by web browsers, this had already be solved without questions, to ensure the product stability in terms of downloads and image in public eyes of end consumers.
Despite that, it’s nominal threat to rely on this site, implement documented practices and utmost – base web apps on this malware looking PHP framework.
However, it’s not so frightening as it may seem, not because it’s might be not emotional even though the fact is unquestionably present (like objectively registered, screenshot or photocopied), but because the actual repository host GitHub is explicitly using TLS and is https secure (by default, such a large corporation).
Eventually, framework is implementing latest PSR standards and features, rendering it viable and usable for state-of-the-art PHP apps, sporting even micro models, like middlewares, route prefixes and other great advantages. So, developer should use it as is
$ php composer.phar create-project slim/slim-skeleton [my-app-name]
Put on this, it’s composer package manager, heavily relying on TLS communication channels, which make it github.com host a reliable remote host, softening the largely incomplete evaluation of general business model, looking only non-transparent way, superficially like a repr. website is inducing incorrect TLS configurations cross-business solution stake.