It's fine if you ignore supply chain attacks on npm packages.