Important security packages should be audited by 3rd party researchers and their results shared. For example https://github.com/RustCrypto/RSA?tab=readme-ov-file

If you’re using a security package and it isn’t either a shim over an existing API (eg porting a C-library to a non-C language) or it fails to provide evidence of independent audits, then steer clear or it.

Most other domains are generally much easier for the developer to audit.

However I will say in an age of AI, it will become much easier than it already is to inadvertently pull bad packages.