I might be wrong but npm etc feels like a very large attack surface.
That's an understatement if there ever was one.
https://en.wikipedia.org/wiki/List_of_largest_employers