> There is zero chance that they have checked those libraries for supply chain attacks.

Even if they did, unless the project locked all underlying dependencies to git hashes, all it takes is a single update to one of those and you’re toast.

That’s why things like Dependabot are great.