[zelphirkalt]

Especially with minified JS, how would you be sure, that you get a minified version of your actual code and not one, which does something else additionally, which you might not want?

Not saying, that running 700+ apps is better, just noting, that bundling as a service might not be a perfect solution either.

[filoleg]

What about bundling in a local VM or docker container?

[brulard]

I believe there could be some malicious code added to the bundle by these dependencies regardless of where it is being run

[filoleg]

I was mostly addressing the part regarding malicious dependencies gaining access to your local filesystem.

If we are talking about the final bundle itself being compromised, there is not really a technical solution to that other than not using dependencies.