Good suggestions for evaluating dependencies - I would look at project activity before the code, though, just because it’s much easier.

I also look up the project on snyk (socket is also ok, but I find snyk more insightful), and do some searching around CVEs and security.

Recommendations from people or organisations or projects I trust have an impact, too.