Native modules are not such an issue, as they are only one file, and you are probably only targeting 3 different platforms, so you only need to add 3 files to your repo.
There is however an issue with breaking ABI which Node.JS like to do at every major version, eg. two times per year.
I however no longer put node_modules in version control because NPM likes to shuffle around the files in node_modules every time you run a npm command. I instead fork each dependency and link directly to the tarball in the package.json.
But then there are dependencies of dependencies... The only solution is probably to allow users to sign packages and updates. And then you can pick a chain of trust so that if you trust the signatures of a few people they in turn trust the signatures of more people and you probably will end up with popular modules being vetted/signed by many people and thus considered safe.
I however no longer put node_modules in version control because NPM likes to shuffle around the files in node_modules every time you run a npm command. I instead fork each dependency and link directly to the tarball in the package.json.
But then there are dependencies of dependencies... The only solution is probably to allow users to sign packages and updates. And then you can pick a chain of trust so that if you trust the signatures of a few people they in turn trust the signatures of more people and you probably will end up with popular modules being vetted/signed by many people and thus considered safe.