Can open source be saved from the EU’s Cyber Resilience Act?