Is that any less true for completely unrelated pieces of software on the same machine? If you have a nice secure monolithic .NET project on your machine, and you also ran a create-react-app project on the same machine, shouldn’t you be just as worried?
Not really, at least IMHO. Not every vulnerability in [insert unvetted react dependency here] contains a host-targeting malware payload. In fact, I'd imagine those are the minority. Some concern is certainly warranted though.
