> One of the important things to take away from this is that every dependency could be malicious. We should take the time to understand the entire dependency tree of our programs, but we aren't given that time. At the end of the day, we still have to ship things.

That's why you need vuln scanners and not upgrade to the latest thing as soon as released.