If you're distributing something that uses this package, it's not just your dev computer at risk, it's all the users.

I'm aware thanks, but if your company is doing the standard practice of using 10k dependencies for some JS webslop you don't really have any other options but to protect yourself.