These days I find it hard to trust the many dependencies installed by language-level package managers. OS-level system package managers tend to do better, but they too have also had incidents.
Then why do you have them installed? Surely you're not using those dependencies you don't trust as actual dependencies of your server application, are you?
My application depends on libuseful version 1 or later. libuseful_1 depends on libtiny, but libuseful_2 depends on libbigballofmud, which consists of libtiny and 800 other libraries that have been merged together for political reasons. libuseless, which was also merged into libbigballofmud, depends on rce-daemon, or nvidia-brick-the-install, or systemd, and I've never heard of rce-daemon before, so it's not blacklisted and installs with no error message. As the other two options suggest, this is not hypothetical.
But no; my desktop machine has a video card that doesn't display anything (black screen) if booted with the non-legacy nvidia drivers. I had to boot off a old 32-bit install to get rid of them and then wrestle apt/dpkg back into a sane state.
Ah right, yes, NVidia frequently drops support for old models in their newer driver releases. I'm so happy I have left that world behind, with both my PC and notebook using AMD GPUs.