%KrkO5sw7ZFgfqFKTUnvwctwOLxrVrD51cfzXswQ2STc=.sha256I wonder whether we'll eventually see permissions for Node modules, where filesystem and network access would be rare. Unfortunately, right now we have thousands and thousands of packages with no restrictions, and exfiltrating data is just as easy as rm -rfing all the things.
The only upside is that [as long as you're using a lockfile] I think you're immune to deep dependency updates, but the long and the short of it is that downloading arbitrary software from the internet isn't any more secure just because you downloaded it with npm install.