Developers: Placing Trust in Strangers
pulling in a dependency from another developer is placing a remarkable amount of trust in them – as there’s no release process, no opportunity for code signing (which is missing from most dependency systems), nothing but faith in that developer.
Source: adamcaudill.com