Sure, but the startup that does this is going to lose, because usually a given risky dependency isn't actually going to turn out to be malicious, and reviewing all foreign dependencies as if they were your own code is wildly time consuming.