I've been doing web development since before the <table> tag was introduced.
> just install 10 insecure npm packages that each install another 10 npm packages
I still don't understand why companies are fine with this.
At my last job, even principal and staff level developers needed every Windows or Mac application install vetted by IT. We had real time system monitoring on all employee workstations that ate up half the RAM and CPU resources and constantly kicked us off the VPN for even the slightest quirk (including the CPU redlining due to scanning).
But npm dependencies? Nothing. Install whatever you want and push it to production.
This is an S&P 500 company that deals with tons of PII.
