OP is suggesting that a supply chain attack would be bad now, and to reduce that risk by not installing/updating NPM packages.