It should have been clear from outset that pulling any number of transitive dependencies is horrible idea from security viewpoint. Ofc, it is fast and cheap in the moment... But, long term it clearly is not the best way.