Making dependency management easy, you end up with large tree of dependencies. It is one of the main concern I have with modern package manager.

In my opinion, it lacks a kind of trust management. Packages from a same team/author could belong to a same trust group. When a package get updated, we have to audit dependencies from new trust groups. This could create a culture of reduced and audited third-party dependencies.

I have just informally pitched both your idea and mine to the Rust security team :) We'll see what they think about it!

If it somehow works, feel free to use this message as the proof that I got the idea from you :)

There is a similar idea being explored with https://github.com/crev-dev/cargo-crev - you trust a reviewer who reviews crates for trustworthiness, as well as other reviewers.