I am always confused by deno folks. You can install from a git repository using yarn/npm.

How is that not "decentralisation"

And if you are importing single files from a remote url, I would question your sanity.

> install from a git repository using yarn/npm

yep, that's basically the same. deno has the benefit of using the es module system like it is implemented in browsers.

Node supports node_modules, not npm. Anything can build the node_modules.

Doesn't this mean more opportunities to inject malicious code?

Only if you tell your application to retrieve from untrusted locations.