Not blindly pulling in dependencies from the internet?
"Blindly" is the problem here, not "pulling dependencies" or "internet".
Also, no, you won't get to a literally 0.0000...% chance of bad stuff getting in to your code, but some simple due diligence will slice several factors of magnitude off your probabilities; pick up another couple of factors if the community in general also tends to have people examining their dependencies. It gets to be pretty hard to sneak stuff in under those circumstances. It's been done, so we know it's not 0.0000...% likely, but it's less likely than the current state of the art in several language communities.
(And, also, yes, said language communities are working on it. I salute them for this effort, not condemn them for the existing problem.)
Hillel Wayne did a detailed in-depth analysis of the event-stream issue and it's really worth reading if you're interested in how to change this situation to be more robust:
