[brulard]

I believe there could be some malicious code added to the bundle by these dependencies regardless of where it is being run

[filoleg]

I was mostly addressing the part regarding malicious dependencies gaining access to your local filesystem.

If we are talking about the final bundle itself being compromised, there is not really a technical solution to that other than not using dependencies.