True, npm packages are a risk. However, I think that there is a big difference between using npm packages and loading javascript from a third–party domain: with an npm package, you can inspect the source. If you don’t like what you see, you can avoid the package. I’m sure that most developers fail to do so, and just blindly trust that the package will do what it says and nothing else, but at least the opportunity is there. If you load javascript from a third–party domain you lose that opportunity, and all hope of keeping your website secure and your visitors privacy intact.
