Was hoping to see more discussion here. When I maintain them, which I don't do enough, I tend to go to a site depending on the make.
Mercedes seems to have great part service in house, for Citroen and Porsche I use an aftermarket reseller (online), for the MX5 NA there are lots of online options (even Ebay).
I have sourced second-hand parts but it takes a long time.
Common things, like batteries or generic tools, I source in local shops. It's globally produced but they can give good advice on battery chargers and the likes, plus we all know we should buy locally when we can.
I used to order motorcycle parts from Great Brittain, but with Brexit I've completely stopped that. I have not found good alternatives there.
You shouldn't eat candy given to you by strangers. If you're in a large group and someone knows the candy, maybe. Code is food for your computer. Be wary. Our large Open Source group of friends has learned about many kinds of candy and shouts loudly when some in the group becomes ill. You don't want to become ill. Some risk exists, but with a large group it is generally ok. Don't install packages as root, don't install what you don't need.
I run my frontend builds through Docker (also during development). By isolating access to the host system to the files/folders necessary for development I've shielded off the majority of current realistic attacks I've seen as NPM based exploits. I'm certain the approach can be replicated for other frameworks, but we use Ember and docker-ember. I doubt it runs as smoothly on a non-Linux OS.