> In recent years, it's started to feel like you can't trust third-party dependencies and extensions at all anymore.

Was it really a recent thing?

> Just take a look at eslint's dependency tree

Npm / node has always been extra problematic though. Where's the governance / validation on these packages? It's free for all.