You’re not wrong. Dependencies pulled directly from other developers get very little oversight compared to a language’s standard library. They introduce more opportunities for failure and increase the attack surface in your software. (The latter is at the core of the so-called supply chain attacks that have been in the news lately.)

To be fair, the problem is not unique to Node.js. Rust has it too, as does every other platform that encourages developer-to-developer library sharing.

The lesson is to be judicious with your dependencies. Look for the functionality you need in your language’s standard library first, and then in the standard software archive maintained by your target OS. (Packages that are officially part of the major Linux distros, for example.) If you can’t find it in either of those places, consider whether you truly need it, or whether writing a minimal implementation yourself would make sense.

In cases where you really must use some random person’s library, look for one that’s widely used, responsibly maintained, and ideally, small enough that you can keep track of its changes between versions. The responsibility for protecting your users is yours.