This works best if you don’t care about security and aren’t planning to stick around at the same job. If that’s not the case, there is a real cost to a regular stream of updates required for features you don’t use - especially when there’s some kind of major upgrade like Node has had a couple of times which forces everything to update, and you get some period where not all of those dependencies have shipped updates or backwards-incompatible changes are required, and you might have to help get changes made upstream or fork something.
Better hope no security exploits are found when you’re in the middle of that process…
These things you list are not something I care about if I want to get stuff done. Caring about what node version I run is also a non-issue. I have 6 different versions of Node already because of this issue, which is not mutual exclusive to big packages.
I wasn't saying that Node itself is a security problem but rather that the community is biased towards rapid upgrades, trading long-term API stability for the ability to use new things quickly. That's a valid trade-off which a lot of people have enjoyed but it does mean that you need to think about whether you have the resources to keep surfing that wave when adding new dependencies. It does seem like the community is reconsidering that balance, too, after years of things like leftpad or worse have been highlighting how exposed most projects are to a single compromised maintainer.
Better hope no security exploits are found when you’re in the middle of that process…