Unfortunately, as recent incidents have shown, these many party, otherwise reliable, projects often have dependency chains that have these one person that can have a breakdown projects as dependencies.

Would I ever include left-pad as a direct dependency? No. But as we found out, the person who provided a library that was used by react-dom might.