With most languages it’s easy to add a new dependency. Add one line to a package manager file and run one command to download and install it. The PR will just have the package manager changes. Often this is the only review the dependency gets.

Let’s say instead of doing that you wrote the code you’re “buying” in from the dependency in house. That code gets reviewed as it’s added as part of the normal development workflow.

So why the difference? You should treat dependencies the same as other code. Go and look at the issue tracker to see if there are many open issues or PRs. Review the code, make sure it’s not doing anything crazy.

Does your development process have anything that covers doing this when adding new dependencies?