alt Hacker News> Debian IS more cautious with dependencies, in that you won't get hidden dependencies that aren't in the repos.
For a definition of cautious I don't personally share.
Debian doesn't vet packages. Debian maintainers are less competent than the "upstream" they question approximately all the time, which is why they keep breaking stuff in more or less severe way (OpenSLL anyone?). And let's not even talk about the insane stuff like when maitainers decide to support a fork they like instead of the piece of software users actually want (Libav anyone?).
> If not, then I'm not interested.
And that's your choice. That doesn't mean developers should care, nor that it is actually a good idea.
Competent is one thing, malicious is another.
I can agree that debian maintainers are generally more incompetent, but they do actually vet dependencies for conforming to Debian ideology.
Upstream may be developing malware, they may be adding telemetry or ads. So if we just allow them to install 500 node packages that we don't know what they do... That's suspicious. That's asking for trouble.
Debian keeps a tight control on its supply chain. Its not perfect or bug free - but, it is within Debians goals.
So if you want a free distro with almost completely free sources, then Debian is really one of your only choices.