Isn’t this a problem with every package/library system? Is there really a solution to this that doesn’t limit packages with how they handle their dependencies?
This may also be about trust. npm probably could limit a number of dependencies that a single package can have with an arbitrary limit, but they don’t do that, because they trust the developers they won’t misuse their options. Well…
Thats a good question and I’m not sure to be honest.
We use NPM at work client side for React Typescript and Nuget server side for C# .net and all I know is the senior always complains about NPM but not NuGet I do believe the backend is less package reliant on our applications so maybe that’s why it’s not as bad.