There is more to dependency risk than 'getting hacked' - correctness, maintainability, IP due diligence all play a role.

Yes. I've had several apps that can basically never be upgraded due to complete insanity deep in their dependency trees.

I'm pretty cautious about third party dependancies, but some of those libraries' libraries are not, and it's really hard to see that coming.

If you expect to live with code for 5+ years (and I understand that's not everyone, but it's almost always me), this is a big problem.

We've all lived with code that was 5+ years old, even if not all those years were ours. b^) Often that meant wrangling envars to point to the right ancient binaries, assuming we could somehow get those binaries installed. None of that is required with javascript. If a dependency is causing problems, just replace it with a different one. (npmjs.com has lots of packages!) Or, write something yourself. In five years you'll find enough spare time.