While I agree in principle, that usually means you'll 1) frequently blindly update all your dependencies, which doesn't really give you much security benefit, or 2) use old dependencies long after security vulnerabilities have been discovered in them. The first point does give you some security benefits by reducing the chance that you'll hear about a malicious package before you upgrade to it, but it's not exactly great.
I don't know what the solution is. I don't think there is a solution. We can't have 5000 dependencies from 2000 random individuals on the internet and still be safe. But if you want to avoid that situation, you're locking yourself out of the vast majority of the NPM ecosystem.
I don't know what the solution is. I don't think there is a solution. We can't have 5000 dependencies from 2000 random individuals on the internet and still be safe. But if you want to avoid that situation, you're locking yourself out of the vast majority of the NPM ecosystem.