[kentm]

I would argue that you should be able to and then follow that up as to why its prohibitive (and what prohibitive means)?

At least on the library side, there tends to be a default-to-trust to the point where large projects put dependencies on libraries that are built by literally one-guy-with-a-github. I posit that developers should be more critical of including dependencies, and factors like "can we guarantee support" and "how do we know it doesn't have malware, both now and in the future, and who can we hold responsible if it does" should be considered for every dependency we add. As it is, I find a lot of developers will uncritically slurp in any dependency or library that saves them a bit of effort.

If the tooling isn't there to help with this problem then it should be built.