Yes, it'd be enough. If a package you're using suddenly adds new 3rd party dependencies, you confirm this is actually needed, and if not, you know something is up. When you install software from random strangers, you have to be vigilant and consider the implications of what you do.

I recall the same situation recently with yt-dlp, as they started to depend on a JS engine for some captcha stuff or related. So when you see that, you need to adjust the mindset of "ah whatever it's probably fine" to "Ok, why are these changes actually here?", and if it's not worth reviewing, you might want to reconsider the approach of installing random binaries from the internet that are flagged as unreviewed.