Stray thought: adding a library the PR submitter controls would be a good starting point for an XZ/SSH-style supply chain attack: badger & threaten the maintainers to add the dependency, and then sneak something into a future library update.