Is the internet at the mercy of a handful of developers?
In this post from Casper Beyer titled The Node.js Ecosystem Is Chaotic and Insecure, he cites examples like left-pad, is-odd, is-number — and goes on to say the way to be responsible with dependencies is…
…don’t trust package managers, every dependency is written by some random developer somewhere in the world and is a potential attack vector. … Is this being too paranoid? Perhaps, or maybe it’s the healthy amount considering the massive reach these trivial packages can have.
While this focuses on Node.js, the lessons learned apply anywhere you have dependencies in your code.