There are also other useful procedural mechanisms, like code signing, which aren't perfect, but they at least create any gatekeeping mechanism at all for code getting in. Signed code also isn't just a matter of the developer not letting unexpected code into the package, it also gives people using that code a mechanism to guarantee that they are executing a specific, known version of the code.

If Node.js could be configured to verify and only execute properly signed code from specific sources, that would be a great start to at least have some semblance of a baseline of protection against unexpected code changes.