Ideally programming languages should include capability-based access control, so that a random library that is supposed to do X, can't do Y.

Until then, we need to vet our dependencies. Check out https://github.com/crev-dev/cargo-crev/tree/master/cargo-cre... for a distributed review system we're working on.