Not to mention that there are hundreds of authors and packages in most dependency trees, and it's highly unlikely people are doing any kind of audit on all of them and their updates, before letting them be part of their applications.