The only surefire way is to read it all. And understand it all. That ain’t happening though. So you decide how much to do.
You should figure out how many people are landing patches and get a rough sense of why. Same for folks filing issues or talking about the project in general. Maybe you trust one of the contributors for some reason. Either way, you want to know how alive the project is.
You could land a patch.
You could spot check parts of the code.
You could run vulnerability scanners on it.
I dunno. It’s hard.
The point of the license combination they use is to allow the enterprise version to be open and live in the same repo as everything else. Dunno if that’s what they do, but that’s why the elastic license exists.