[olalonde]

That's security theater. The package can still run arbitrary code the moment it's actually used.

[nikeee]

That could probably be solved by opting in to the permission model of Node. But that won't work for everybody, especially in legacy applications.

Having trusted dependencies at least drastically reduces the risk that 'git clone && npm install' takes over the entire system.

Cooling down dependencies would certainly help, also.