>Every evil corporation contributes their backdoor shit into it and steals whatever the coding gurus put out
I am afraid you are right to a greater extent. I have done exactly that once before, analyzing some of the code before building upon it, and came to the conclusion that is not the best way to secure but to write your own code that interrogates every request and send it through a pipeline of middleware that finalizes the last call as my filtered adornments calling the original function with it's args. Nothing is truly secure unless you re-invent the wheel. That is why I do not use something like React-Create-App because even though it sets up a project easily it also puts thousands of files into your project of who knows what. I keep everything bare-bones as possible.