The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.

This is bad for security.