The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It's quite different than running one application with a group of developers who understand all the components and monitor/approve changes.