I'd be called insane if I suggested it.
I work with dotnet and I'd rather not add all the code in newtonsoft json and manually review each line.
I mean where does it stop?
Why not have everyone in the world code review asp.net and dot net libraries for every single website project at that rate?
Rust’s Cargo vet offers an answer to that question.
You can import a list of audits from trusted auditors, which should cover all popular packages. Now you have to audit dependencies that aren’t well-known in the community, which really is the set of dependencies that you should take an extra look at. The big popular JSON libraries can be audited by either Microsoft or some of the other large projects that are using them.
You’d explicitly share your trust list in your audit file, and anything (updates or new packages) that isn’t trusted by you or one of your listed auditors is flagged for auditing.
