For something like this, I think I would actually prefer that they copied existing code for hashing. It's simple and stable enough to avoid taking a dependency.
It's harder to package if you're using Cargo. Using the sha2 crate is one line. Copying the code into your project is a ton more work.
Ease of auditing is debatable. Using shared popular libraries gives the benefit of lots of people using them.
Plus actual code audits are very rare and of dubious value. They're mostly useful for finding out how well written the code is rather than finding bugs. For that your basically want fuzzing.