It's not just about supply chain attacks. It's also about convenience and practicality. After a few months or years there will be some major dependency version updates to do, and often there is some manual work associated with that. Maybe reading changelogs and documentation, or checking if the package is still maintained and looking for alternatives. Doing that for 5 packages is reasonable, doing it for 20 or 30 packages is a liability.
