How can you make sure that you use trustworthy packages for your project?

You can’t. You will always be exposed to security risk once you start using open source or vendor packages. The goal is to minimize the risk in order to avoid security breaches. This could be done by:

• Regularly update the project's dependencies to apply latest bug fixes and vulnerability clean-ups.
• However, unless you trust the author, do not update your dependencies instantly, since package updates recently have been a common target by hackers.
• Check for changes of the file content in previous versions.