This is why I strongly prefer languages with a comprehensive standard library. I trust my Python/golang/dotnet/whatever install, so the number of third party packages I need to pull in is much smaller and more easily audited.
It may not be the request package itself but a sub dependency. It only has a few from looking at the repo but something like flask can have a lot (especially with the plugins) and that’s a mainstream and well supported library
Well it starts with a culture of taking responsibility when adding a dependency. We want people to look at child dependencies and just think more critically about them before checking in code. This is mostly to prevent bloat but sometimes we catch unmaintained packages or accidentally pulling in a random form rather than the community supported variant, for example.
We also run SAST in our gitlab pipelines and include reviewing the output as part of the code review and release process so that we can catch CVE's that may not have been known if when we first installed a package.
This is why I strongly prefer languages with a comprehensive standard library. I trust my Python/golang/dotnet/whatever install, so the number of third party packages I need to pull in is much smaller and more easily audited.