I remember working on bitcoin libraries for multisig hardware wallets and thinking to myself, all that security is kinda moot when all it takes is *one* dependency from NPM to be compromised and every one of the signers, using identical software, signs the wrong thing. We ended up with zero third-party libraries and we checked the signatures of every package, with Git, when updating. Stay frosty.