[stephenr]

Your example about php source, or any of the bundled extensions would be a valid point if they were maintained by one or two single developers.

As you say, it’s impossible to review everything.

But how many projects have been caught out by sudden changes to previously working dependencies? Either revoked code, malware inclusion, breaking changes, etc.

If your dependencies are versioned and go through a review like internal changes, it’s much easier to spot changes.

I agree that a trusted source is invaluable- my point is that (a) npm hasn’t shown itself to be that and (b) the “externalise all the things” approach pushed so heavily by the nodejs community means it’s not just your dependencies you need to worry about - it’s the crab-grass like tree of nested dependencies.