People finally learned that capital has nationality. They now need to learn that code has it as well.

It doesn't matter that it's open source if most contributions and maintenance effort come from MS, Google, Oracle, Red Hat etc. These companies control these projects.

Depends if anyone actually bothers to read the code for supply chain attacks.

Also it would be great not to depend on that poor fellow in Nebraska to keep it running, and being further developed.

That would not immediately stop you using it, and state sponsored attacks using exploits from supply chain attacks would be a far more aggressive move than just stopping supplying services.

I do not know whether it would be technically an act of war, but its certainly practically so.