Is it common to rely on a free service like npm for your company's core business? It seems like you would be taking a huge risk by not mirroring anything you need internally.
I believe (based on lots of anecdata) that it's not just common, it's absolutely overwhelmingly often the case at companies of pretty much every size, be it a data scientist using stuff from CRAN for mission-critical modelling or an OS package repo or the like. It appears that few shops have this fully under control.
I strongly recommend keeping a local mirror of your dependencies... however, I've spent years maintaining such mirrors for fairly large projects (incl. Artifactory, Nexus, and one-off OSS setups like Docker registry server), and I think it's easy to underestimate how much work it is.
Whether you use expensive 'turnkey' solutions like Artifactory or keep things simple, there's just a surprising number of ways for a local mirror to go wrong, especially if you depend on it for any kind of third-party dependency compliance control.
Some repository mirrors will also become very large, which means that if you're e.g. running them in a cloud provider the bill can add up. Not really a problem on local hardware but the up-front cost of hardware can be substantial and a lot of startups have little to no in-house IT capability (e.g. the org I work with right now has reached hundreds of employees without having a single system administrator on staff, so as devops person I end up having to do the care and feeding of our recently purchased local hardware as well).
In general I think this is an important and often overlooked issue in modern tech businesses - it is amazing how many technology-centric firms like software startups get to appreciable size relying entirely on outside SaaS/PaaS providers with no real in-house IT operation. This reduces up-front and staffing cost but has a way of coming back to bite you when you hit a certain point. A conversation I've been in before, in reasonably large software outfits, is "we want actual real office phones now, but telephony-as-a-service is real expensive and the on-prem products use scary words like VLAN and QoS in their setup documentation". As someone with an IT rather than software background it's a little baffling to me how this happens, I feel like a combo sysadmin/network engineer would be an early hire. But here I am working for a company instead of running one...
Yes, it is very common. Setting up local caches for package repositories is rarely prioritized high enough to ever get done by IT or the developers. There is almost always something else which is more important to the business.
Anecdata time: I'm in a 300 person (~50 dev) company serving the enterprise space (we have SOC audits). All our NPM and Maven needs are handled through a local Artifactory instance.