What the axios attack shows is that even if you stick to sensible, popular packages you can still get pwned if you are not following best practices: set a min age, don't npm install except from a lock file, preferably work in a VM, etc.

Yesterday it's axios, tomorrow it could be react, vite, or typescript. Sticking to only "required" packages won't save you, you have to fix the problem at the root by improving your own security practices. Make the attack impossible, not just unlikely.