NPM is a complete security failure because people use it as a CDN and even rely on future versions of whatever modules they use, without doing any kind of A/B testing or review before blindly shoving anything newly released into production.
When you have small modules downloaded 5 trillion times a second, depend on other small modules downloaded 67 septillion times a millisecond and where people often times rely on “future” versions, without even locking down to any specific known version. This combined with people just blindly trusting anyone on the internet to take over a module.
Many JS developers act like collecting dependencies is a good thing, like collecting stickers you can put on your laptop and put in your resume “I know a gajillion different modules, look at me!”. Any project with more dependencies than what you can count on one hand is nothing but bloat, and a liability.