> maybe that's what you should do for every dependency anyway
Exactly. When your colleague wants to write new code in your repo you do a code review. When a stranger writes a large amount of code shouldn't you also do a code review?
Sometimes. Depends on the boundaries between your code and theirs.
I write Go apps and deploy them in the cloud. I haven't done a code review of Linux, Docker, Kubernetes, or the Go standard library. When an independent person puts out a library that I'm going to depend on, yes I'll review its code first. When I'm building on something that's backed by a big company (Google) or solid foundation (the PSF) then rather than reviewing the code, I'm more likely just to review the interface and docs. There's a continuum of possibilities in between. Different people may rationally draw the line where they'll do code reviews at different places on that continuum.
Sure, you can blindly trust your dependencies. And most people do. But don't expect them to help you for free if you have a problem. They might. But likely they won't.
Try sending an email to Linus Torvalds if something with the Linux kernel is not to your liking and you'd like him to change something. Brace for impact. Well, at least with the "old" Linus. He calmed down a little recently.
Exactly. When your colleague wants to write new code in your repo you do a code review. When a stranger writes a large amount of code shouldn't you also do a code review?