This week, the developer of the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The 'node-ipc' package, which gets downloaded over a million times weekly, began deleting files on developer's machines, in addition to creating new text files with "peace" messages.
rolling release systems do test their packages before they release but its usually just that package in particular. They don't always test how packages that depend on it will work. So if library A updates from version 1.1 to version 1.2 application B which depends on library A might start having bugs if it wasn't developed against libA 1.2.
That said, they still will do cross compiling so if libA updates to 2.0 and appB no long compiles anymore they'll usually hold off releasing libA2.0 until all core apps that depend on it are upgraded, as with major libraries like GLIBC. Or release libA1.0 and lib2.0 separately.
For community or user submitted stuff its wild west though.