Each developer may choose to minimize the software dependency attack surface to a different degree.
Perhaps they would trust a package published by Google without a review. But would require a review before using a package from an indie developer.
Incremental decreses in the attck surface are valuable.
