[Y7ZCQtNo39]

It's impractical, on an individual level, to vet your entire dependency tree. Installing something like react alone will put 100+ modules in your dependency tree.

A more mature project will have a 4-figure number of dependencies.

Things like Node Security Platform (which was absorbed by NPM) exist for a reason. There's no reason for every person to vet every single package they use -- it'd be an awful lot of duplicated energy.

If there was no implicit trust in the community, and we had to act as vigilant as you describe, there would be no community.

[reitzensteinm]

This is a bit of a strawman. It absolutely is your responsibility, but that doesn't mean you can't outsource it.

[Y7ZCQtNo39]

It's the kind of thing where, if everyone with this problem chipped in $5/month, we could have a central repository of vulnerabilities. So, not absolving yourself of responsibility, but also way more efficient to outsource.

[RSZC]

(React does not have 100 dependencies, it has 5 including indirect dependencies)

[Y7ZCQtNo39]

A more mature project wouldn't have just React as a dependency. Point is, it's a lot of code to vet. React may have 5 indirect dependencies, but in my projects, I have 30 or more direct dependencies.