Great summary article. The missing point is about the dependencies version management.
NPM modules suffer from the ~ ^ in the version numbers. Although semver may enforce no changes in the dependencies api, their devs are humans too and may break things.
Therefore, we should enforce module managers to "hardcode" the dependency version. This would also be a step towards reproduceable builds.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.