Npm put the concept of component based development at its core.
This is a valid thing but people don't consider the implications. In Component-driven development you have to trust your component vendors. I know this is something some people hate, but welcome to how the world works.
The problem in the node ecosystem is that trust is cheap to get and there are often no big vendors for tons of components