> As soon as you are no longer implicitly trusting all future versions of your dependencies, things become much more sane.

I agree, I wish npm ci and fixed dependencies were the default, but they're not and people need to learn about them.

Lock files are not enough, you can't review all the dependencies yourself every time you lock. A new tool is needed to deal with trust.