Regarding "supply chain security" with dependencies: as a professional dependency auditor I can tell you that malicious dependencies are extremely rare... and what's far more common is security issues in utilities that large dependencies insisted on reimplementing despite safe off-the-shelf options being available.
If your takeaway from dependency security stuff is "avoid dependencies", then that is absolutely the wrong takeaway.
(For completeness' sake: this is in the JS ecosystem. It's difficult to compare this to other ecosystems, because many ecosystems don't *have* a meaningful set of single-purpose libraries, and them being single-purpose is an important factor affecting security.)
And to be clear, this is not to say that dependency security efforts are not important.
But it's important to understand that this is like car vs. plane safety; planes (dependencies) *look* really scary, but the actual thing that's likely to kill you is a car (rolling your own).
That doesn't mean that improving plane (dependency) safety doesn't matter, but it's a background process by people whose job this is, not some acute crisis that you need to deal with yourself.
