That’s already exactly the same risk almost all web developers take currently. Yes it is a real threat, but it’s too hard to deal with and not often exploited.
We all hope and rely on the fact that popular OSS projects have enough eyeballs on them to make sure nothing malicious slips through. What is proposed here allows a load of changes to be made that completely bypass the normal review process
This doesn't bypass the review process because no ones review process includes auditing the code of all things in the package lock files. This is no more or less secure than the current way of doing things.
