[McSwag]

I challenge you to audit all dependencies and, particularly, the sub-dependencies of those. Most people, in my experience, look at a requirements.txt or package.json and think that’s everything but your dependency tree is going to be easily 3-4x that size.

Node.js is particularly notorious for this. It’s a big challenge for having non-flat dependency management and there’s no great solution for this problem.

[pclmulqdq]

Well, I don't use Node.js and I'm careful about cargo dependencies, so I actually can do this with every project I have worked on, and I value the ability to do it. It has led to a lot more sleep, as I understand it, than people with critical projects that rely on npm get. Cargo doesn't exactly have the all of the problems that npm has, but it is already kind of time consuming to audit your dependencies in Rust.

[Paul-Craft]

Sure, you can do it. But, have you? I'm betting not, and I think that's the point.