[fragmede]

Just a heads up that Pypi isn't immune from the same attack, with "Pypi supply chain attack" into Google revealing a (much smaller) number of packages that turned out to be malware. Some were not misspellings either, with one being a legitimate package that got hacked via GitHub Actions and a malicious payload added to the otherwise legitimate package.

[graemep]

Definitely, and you should be aware of the risk and think about and assess your dependencies.

Having a large standard library does reduce the number of dependencies, and you can go a long way using only well known dependencies.

[tjpnz]

No language ecosystem is but NPM/Node still encourages this idea (borrowed elsewhere and interpreted poorly) that everything must be its own tiny package and that it's acceptable to author libraries consisting of thousands of transitive dependencies from potentially dubious sources. Just this week I saw one (unmaintained dependency of a popular package) which consisted of a list of a dozen SQL operators. Anywhere else you would just write the damn code, maybe add a comment that these are the SQL-92 operators and be done with it literally forever. But in Node land that would be viewed as an antipattern which only another package can fix. It's a security and maintenance nightmare that can only be explained by laziness and outright stupidity.

[silverwind]

It's a misconception that NPM or Node encourage this, because they don't. There are a few package authors that are doing it that way (some even paid by download count), but that's their opinion.

Recently there is a trend towards minimal-dependency packages and I would certainly recommend auditing every package for its dependencies before using it.