The average #npm package includes in their innermost trust boundry:

- an undisclosed four-digit number of devs nobody has ever heard of
- npm itself
- github et al. in all their slop-fondling glory

Especially:

- all of their personal and organizational opsec
- all of their ability to write and configure CI/CD securely

If a single of those components fail, all of it goes down the shitter again.

But I'm sure, user-prompt-gating post-install scripts will fix all of this. As it did with Office.