This is a great point but do note that it is quite easy to setup [1] a private npm registry as well. Most orgs actually do just that as you really do not want a production build failing if npm goes down.
It's very interesting to see this on HN because we're actively working in this space, albeit on building a training platform but the long-term goal is to generate models that can outperform the current ones that require a lot of expert input.
Either that or you vendor in your dependencies.
[1] https://smalldata.tech/blog/2023/03/17/setup-a-private-npm-r...