Perhaps pulling live dependencies that are not collectively managed by a single QA team but rather are individually managed by many thousands of people with wildly varying security practices was a bad idea.