> or only allowing widely used, well-maintained Javascript libraries.

That isn't a guarantee either, just last month someone compromised the Axios library.