I don't check every file but I use very sophisticated proprietary heuristics such as "intuition" and "hunch" for how far to dig.

I use vim so dependencies are explicit. But when using npm packages in work I give dependencies a look before I look anywhere else. An unfamiliar dependency gets looked at. It's easier since npm web browser allows inspecting code.

It's a very imperfect process.

Have you ever caught anything?

No, that would be a different story:) ended up not using dozens of plugins and libs stuff after a look at their dependencies and code though

Emacs has deps on libraries such as pdf-tools with mupdf and telega with tdlib, but these are installed from the OS repos so they are trustful.

Only handful of Vim plugins have dependencies and even then you need to install them explicitly