There is a certain irony that large organisations carry out a myriad of checks, due diligence, impact assessments, contract reviews and more for any and all business they themselves do business with. But, their team of developers npm, pip, or cargo install any and all dependencies built by a single person on the other side of the world.
This is not to say open source projects are untrustworthy. But if you suggested to an enterprise business lawyer that you want to run some random code you found on the internet in production, they would tell you no.