If your standard is that third party code must be audited, you'll have quite a small selection of software to use. It's mostly all running on faith and reputation and counting on good intentions. (Like society generally!)
The specific issue described is a recent development. I'm a former Mozillian, and this is surprising to hear. In the pre-Rust days, this NPM-style fractal-of-dependencies approach wasn't a thing in Gecko/Firefox, and anyone naively insisting that this is just how things work in software development (and purportedly have to work) was someone who demonstrably didn't know what they were talking about. Looks like we've lost some of the "demonstrably" part.
I wasn't talking about Firefox specifically, I could have made that more explicit... But it's good to hear that Mozilla has good culture for this. If there is something you can say or link to about systematic third party code auditing at Mozilla, eg are results public, it would be interesting to hear. Or about how many vulnerabilities are discovered in code audits vs post-shipping security testing like fuzzing and other pentesting-y activities.
(Of course good control of versions is still a worthy goal for many situations even if you don't do this)