I have been writing for years that package managers are a big security risk, and if you’re writing a platform that’s going to be used everywhere, you should import code by hand and verify what has changed. Or just write it yourself. Yes, seriously. Learn what your code base does. If your library is used N times then every hour you spend saves N people-hours.
It’s just like using Slack: you think you’re saving time because of the immediacy, but wind up paying the price down the line because 1 person can save N people time with threaded asynchronous stuff.
Others have said this as well: https://news.ycombinator.com/item?id=15272394
I plug this every time, but here goes: https://github.com/crev-dev/crev solves this by providing code reviews, scales via a web-of-trust model, and relies on cryptographic identities. That way, you can depend on a package without having to trust its maintainers and all future versions.