We don’t solve malicious code injected into packages by not re-using components just because s/o else wrote them.

If you have code in pull requests that you don’t know what it does, maybe we shouldn’t accept it? Maybe we shouldn’t rely on volunteers for critical infrastructure?