Those all seem valid questions to ask. And I don't think the package should be accepted solely based on the respective answers.
You should have someone from the company thoroughly review the code and also perform extensive testing. I understand sometimes it is not feasible to review thousands of line of code manually. So in addition to code review, use tools to scan for vulnerabilities. Human review + scan. Not one or the other.
Ultimately it is on the organization's corporate security and overall design requirements. Something can be acceptable to one org and not the other.

Not a simple question but hope it helps. I'll be glad to discuss further and help any way I can.