[imtringued]

>biggest package ecosystem.

I don't understand how you can be proud of having the most unusable package ecosystem. Sure the numbers are large but can you actually safely use those packages? No, you can't. Just add a single library and you will include a huge amount of transitive dependencies from random package maintainers over which you have no control.

Other languages like Java or Rust have the same problem but this is a problem with exponential impact and NPM is the leader in tree depth. Having a 10 layer deep dependency tree is far worse than a 7 layer deep dependency tree. When I look at the dependency tree of my own projects more than 50% of the libraries are first party and from a vendor with a good reputation. (spring, apache commons, tomcat). The rest are less trust worthy but each project has a small opensource community that consists of more than just a random guy that may randomly throw emotional fits like in the leftpad scenario.

[tracker1]

That comes down to due diligence... I look at my bundle outputs and overall package size... I also review the packages I use, and tend to avoid anything that isn't open source. I've also forked packages that have issues I need resolved.

You have all the control in the world, and just because someone is lazy doesn't mean it doesn't work. Beyond this, you probably don't review every single line of code that goes into your applications dependencies regardless of language. It's about impedance vs productivity for the most part.

I tend to, at least with front end projects focus on koa for the server tethered to the UI, React and material-ui ... nearly everything else is one-off building from there. Unless you think the likes Facebook and Google are just one random guy.