When I co-created the #pytest automated testing tool me and others insisted on a no-dependency approach because anything under test could interfere with it .... But I also was increasingly aware that a malicious merged PR in pytest, now a world wide deployed tool in many companies and governmental institutions, could cause a massive backdooring cataclysm ... At least for the first decade pytest folks were friends with each other and knew each other physically, that kind of helps a bit I guess?