It's literally possible. You just have to have that as a goal from the start of the project. I just looked at our call center product. Across frontend and backend we have 70 npm dependencies required for build/runtime. Most are small.
It's not that hard to do some superficial review once and do a diff of node_modules when updating npm-shrinkwrap.json for whatever reason.
It's utterly irresponsible to not do so when pulling code from untrusted sources like npm.
Don't pull in dependencies which have many dependencies themselves. There are many projects that pride itself on minimalism and lack of transitive dependencies. Choose those. Etc.
It's not that hard to do some superficial review once and do a diff of node_modules when updating npm-shrinkwrap.json for whatever reason.
It's utterly irresponsible to not do so when pulling code from untrusted sources like npm.
Don't pull in dependencies which have many dependencies themselves. There are many projects that pride itself on minimalism and lack of transitive dependencies. Choose those. Etc.