I think for a security application you want to reduce your exposure as much as possible, and one way to do so is reducing the amount of dependencies in your application. I think a high dependency count is orthonogal to that.

"total of 25MB of javascript" is a good metric of the complexity of the application's code, and correspondingly the difficulty of auditing it (I'd say 25 MB of JS code make it infeasible).

Seems like a pretty good metric of complexity to me, particularly when it comes to a security audit. Having a lot of packages packaged up in the extension corresponds to having a lot of source code you have to vet, lest it be an avenue of attack.

25MB of plaintext lines of javascript code is absolutely an indication of the complexity

File count and general "bloat" is an indicator of the quality of the engineering in the product. Especially for a security product _minimalism_ should be evident -- nobody with good security sense would want or allow anything not truly necessary to the product's functionality to be included.

There's a lot of room between "super trivial" and "needlessly complex" -- it shouldn't be either.

Trusting a cloud-based third party with my passwords is a non-starter for me.