Frequency of actions matter, especially for security changes. If we are talking about git, I agree. If we are talking about npm, I bet 95%+ times people install packages in order to use them, not just to admire the code.
Someone else in this thread mentioned that npm can be used to manage pure front end libraries, which is a fair point.