Sure, because hosting the whole repo on github is going to be a smart move. Call me when there are dependencies issues, new versions that break the whole systems and security issues with unsigned packages.
I'm not sure I see the objection here. Package versions should be pinned so dependency management and version conflicts shouldn't be an issue. I don't believe npm signs packages, but it at least communicates with the server via HTTPS and properly validates the certificate so I don't really see the security concern there.