I agree in principle, but child_process is a thing so I don't think it makes much difference. You are pwned either way if the package can ever execute code.