Maybe, we have to rethink depencies from the ground up.

Implementing everything yourself probably won't cut it.

Copying a dependency into your code base and maintaining it yourself probably won't yield much better results.

However, if a dependency would be part of the version control, depends could at least do a code review before installing an update.

That wouldn't help with new dependencies, that come in with issues right from.the start, but it could help preventing new malware from slipping in later.

A setup like that could benefit from a crowd-sourced review process, similar to Wikipedia.

I think, Nimble, the package manager of Nim, uses a decentralised registry approach based on Git repos. Something like that could be a good start.