Evergreen reminder that with just a little bit of work to avoid platform-specific native-compiled dependencies and Node-Gyp, you can vendor your dependencies for non-library Node projects, and sometimes you should.
Certainly, Electron apps themselves should not be pulling dependencies at install time, those should be bundled into the app, that's the whole point of Electron. But they also don't need to pull their dependencies from the official NPM repos at build time either. You don't technically even need NPM installed on anything other than your dev machines, Node's dependency resolution during builds and at runtime doesn't rely on NPM at all.
I think some languages (Go springs to mind) are starting to slightly popularize dependency vendoring more, and at one point this was the official recommendation for Node apps/websites in the official docs. It fell out of fashion for some reason, but I think a lot of orgs would benefit from picking up the practice again.
It's also a good way to be a lot more deliberate about what you install, and a good way to make sure that new dependencies don't get snuck in without anyone noticing. It's very hard to hide a giant commit that introduces a thousand new files, and that can sometimes be a good opportunity to take a step back and ask yourself why you're adding a dependency that introduces thousands of files.
