[wheresvic4]

This is a great point but do note that it is quite easy to setup [1] a private npm registry as well. Most orgs actually do just that as you really do not want a production build failing if npm goes down.

Either that or you vendor in your dependencies.

[1] https://smalldata.tech/blog/2023/03/17/setup-a-private-npm-r...