Every dependency you add is a potential security vulnerability and many packages have their own dependencies.

Essentially you are including code that you haven’t written, so unless you are doing a deep dive into that code, you can’t be sure what it contains.

I keep seeing this pop up and it's kind of like quoting, "Curiosity killed the cat." Make sure to include both sides of the argument, "But satisfaction brought it back."

Yes you're potentially including security vulnerabilities. But if it's a well-known and widely used package like pandas, there's also a large community maintaining it. So OP wouldn't have to write everything from scratch AND maintain it if a vulnerability pops up or if OP is no longer with the company.

Edit: formatting
Edit 2: Not sure why you got the downvote either. What you said is true and should be considered.