[shtylman]

You don't have to trust anything. If you want to NIH everything yourself, nothing is stopping you. It is however more likely that many packages on NPM are better than the ones you or your team can create if simply for the fact that they may have been created by a person very versed in the particular domain the package is for. Or maybe it will be shit but whatever :)

[oinksoft]

I have no such reservations about the NPM/CPAN style, but your assertion that the only other choice is "NIH" isn't quite true. With Python for instance, you can choose SQLAlchemy for your ORM. It has no depencencies. In JavaScript, Mongoose (a good comparison) depends on "hooks, mongodb, ms, sliced, muri, mpromise, mpath, regexp-clone, mquery". Who knows what those in turn depend on. In a strict place, you need to get every one of those things approved, and each represents a moving target if you want to upgrade Mongoose later. Those shops begrudgingly let open source in as it is, so it's a tough sell.