[feduzi]

You also install Node.js scripts, that may just execute anything upon "require". "npm install --ignore-scripts" won't save you. But bash scripts... oh, yeah... lethal.

There are problems with NPM, for sure. Like dependency level, absence of possibility to review new releases, being rather closed than open (https://medium.com/@azerbike/i-ve-just-liberated-my-modules-...).

Maybe going with open solutions for package management will solve most of this problems. Like using git protocol to host ones libraries on github (or gitlab or bitbucket or anything where you can fetch dependencies and get to review the code). Of course, this is not that simple as it sounds.