Verify? Verify what?

Verify what? I certainly don't have the capacity to thoroughly review my every dependency's source code in order to detect potentially hidden malware.

In this case more realistic advice would probably be to either rely on a more popular package to benefit from swarm intelligence, or creating your own implementation.

But... GitHub stars!

Over a certain popularity it is. 56k downloads is nowhere near the threshold.