I think if you generally depend on npm packages, being frugal is hard, because every random package works against you.

Last time my perception was also that publishing sec is a weak point. If at least heavily used packages would be forced to do manual security steps for publishing, it would help quite a bit as long the measures a safe.