Technically, it is just the frontends. You can always interact with the contracts directly and that can't ever be shut down (if you know what you're doing). Can you do that with your bank?
Let's also not forget that every other website on the planet that relies on npm also relies on the blind trust of unverified UI components. This isn't just silo'd to crypto.
> Let's also not forget that every other website on the planet that relies on npm also relies on the blind trust of unverified UI components.
It feels like you think you're making a really good point here. In reality, it's just a run-of-the-mill appeal to popularity. The programmers doing this sort of thing on other websites are in the wrong, too.
If properly configured and audited, this approach can be secure. Github is the only way configured to publish to NPM, and NPM pushes can only be initiated by signed commits from trusted accounts with MFA, the entire workflow is can be secure on its own.
I don't really see the point for a project that doesn't seem to update their code all that often, though. The risk of misconfiguring something doesn't seem worth the effort saved by having someone with a 2FA key upload a tarball generated on their dev machine.
Let's also not forget that every other website on the planet that relies on npm also relies on the blind trust of unverified UI components. This isn't just silo'd to crypto.