You’re looking at this correctly. This is a big issue with all package managers, node and others suffer from the same kinds of issues. GitHub has dependabot that will routinely scan for vulnerable packages, and you can do similar things on your own to try and mitigate the risk. There was a suggestion about using something like Symphony where it doesn’t draw from as many dependencies. This seems like good advice, but it might be going too far as I work with projects with much higher package counts and they are considered secure. Still, it’s worth thinking about and especially when picking frameworks and libraries it’s important to think about where you’ll be down the line when you circle back around and need to upgrade it all. It’s not necessarily about the number of packages, it’s more about if those packages are well maintained and have continuity through an upgrade path as they release new versions.
Doug Hatcher
Enterprise architecture and tech junkie