Installing any 3rd party dev dependency without sandboxing should terrify you. These supply chain attacks are not hypothetical.

Trusting other devs to not write malicious code has led to a surprisingly small number of incidents so far, but I don't think this will extrapolate into the future.

With more lines of code being auto-written without deliberate intent or review from an accountable author, things can only get worse!