The lockfile should protect you there. It'd only be an issue if you're working on updating dependencies in which case there's other protection like min-release-age

If pulling down your company repo and running `npm install` can lead to a compromise, something has went terribly wrong with your company's security setup.