Downloading a dependency also requires a high degree of trust in whatever transitive dependencies that a trusted dependency decides to pull in.