Solaris keeps it's timezone files in /usr/share/lib/.
To check it run zdump -v /usr/share/lib /zoneinfo/US/Eastern |grep 2007 The following example was done on Open BSD 3.8 for northamerica.
There are security and stability issues around having more code than you bargained for being active on production systems.
The author of tzdata takes the position that having up-to-date TZ data is more important than the potential downsides; for direct users of the library that's arguable as someone who directly uses it apparently has an interest in TZ calculations (I'd still disable it) and the author documented how to disable it.
I discovered that this library includes tzdata, which auto-updates time zone data.
Would a prominent mention of this behavior in the README be a PR that you'd consider merging in?
The package has been around for a long time now, and having managed many production Elixir applications at this point, it's never been a problem in my experience.
That's not to say it can't be, but the track record has been a good one up to this point.
By default Tzdata will poll for timezone database updates every day.
In case new data is available, Tzdata will download it and use it.
I also think the security risk here is very minimal due to how the data fetched from IANA is handled, but the process would need to be audited to know for sure.