The whole deal with packages, is to make it really, really easy to discover and integrate them, without having to worry about where they came from, or who has had their fingers in the pie. It's [theoretically] possible to find out, but I have never met anyone that admits to vetting their dependencies in anything near complete fashion. Most look at "buzz" around the package, and at how many stars it has.
That's wonderful. So is going out clubbing, and "getting to know" a whole bunch of different folks that you meet randomly.
Both can have unfortunate side effects.
It's entirely possible to do so safely, but Christian coffeehouses might not be your idea of a good time on Saturday night.
But nothing is perfect, and a dedicated blackhat can leverage just about anything.
That's wonderful. So is going out clubbing, and "getting to know" a whole bunch of different folks that you meet randomly.
Both can have unfortunate side effects.
It's entirely possible to do so safely, but Christian coffeehouses might not be your idea of a good time on Saturday night.
But nothing is perfect, and a dedicated blackhat can leverage just about anything.