I have come to using a multi stage Docker build. One to install dependencies and build whatever it is. I then might have a second clean docker image where the dependencies are copied to and run.

This helps with localized risk, and some production risk - but not all of it.

NPM packages have become a huge nuisance security wise.

Yes, also using multi-stage container - we output signed OCI to our repository and have Rekor and GitHub for SBOM and attestation.

This is another huge pet peeve of mine is how hard it is to have a good container pipeline to build containers without running root - we tried some of the alternatives but they all had drawbacks - easiest is to just use GitHub Ubuntu images and hope for the best (although I recently saw some improvement in this area we want to investigate)