Yeah, but if that app was built using a malicious dependency that only relied on the same permissions the app already uses, you’d just click “Yes” and move on and be pwned.

Oh, I don't npm.

If I can't yum (et.al.) install it I absolutely review the past major point releases for an hour and do my research on the library.