Even if this code is only run on the developer's machine, you're trusting 1,600 entities to not pwn it one day.

It's worth some concern.

As the copay attack shows, that everyone uses these libraries doesn't let us rest assured. There are virtually zero eyeballs on the code of transitive dependencies because you would have to extract tarballs to read code. And attacks can be extremely targeted. The copay attack was only discovered because of a deprecation warning in the attacker's code that someone reported.

That is true. Thank you. But is that the totality of the danger, then?

There's nothing special about "backend". It's normal for the client side bundle to contain many dependencies that came from NPM.

Right but if they can’t phone anywhere when the client executes them, they’re not dangerous to the client. As another commenter points out though, there is the danger of executing on the dev’s computer: I guess that is true.