It’s a problem in any ecosystem. It’s not like there haven’t been attacks in nuget packages or the recently famous Log4j vulnerability. I’m not going to pretend there aren’t some pretty deep flaws with nested dependencies in Node modules, but it’s really more an issue with unprofessionalism in my eyes.
I’ve never worked a place that would auto-magically roll out things like windows or chrome updates without having them vetted first. If you can’t trust those, then you certainly can’t trust some random NPM package, and if your organisation doesn’t have a strategy for how you handle something that unsafe then you really need to step up your professionalism.
I personally consider NPM packages to be sort or nice, in the very cynical way, that the community tends to beta test updates for you much faster than with any other dependency system.
Not all ecosystems are the same in the extent to which auditing and maintaining dependency chains is a burden. All of Linux from Scratch consists of something like less than 90 distinct dependencies, for instance. When I went to add a token-replacement library to mdbook so I can interpolate variables in a book, Cargo pulled in 287 dependencies. For better or worse, the newer, hotter languages of the day seem to be predicated on extremely small, something single-function, libraries, and thus enormous and arguably intractable dependency trees.
I’ve never worked a place that would auto-magically roll out things like windows or chrome updates without having them vetted first. If you can’t trust those, then you certainly can’t trust some random NPM package, and if your organisation doesn’t have a strategy for how you handle something that unsafe then you really need to step up your professionalism.
I personally consider NPM packages to be sort or nice, in the very cynical way, that the community tends to beta test updates for you much faster than with any other dependency system.