esbuild is a "bundler" and can replace webpack/rollup, but you still need to use yarn/npm to install all dependencies exactly the same as you do now. If your concern is primarily security-driven, esbuild is not to the topic. This applies to all other bundlers like Snowpack and Vite etc.
As for migrating to Deno: you probably will not be able to do this because most NPM packages will not run in Deno out of the box. Your build pipeline almost certainly relies on libraries like gulp/sass/globby, and those projects will need to be ported first (or made compatible by their authors).
Any modules on npm for web may work with minimal to no changes. You will need to convert them to esm. There are cdns which provide automatic conversion.
The overwhelming majority of NPM packages are still in CJS, and will not work under Deno today. Yes, you can do hack-arounds like jspm.io/skypack, but if the person is concerned with stability and/or security, adding a 3rd party middleman into the pipeline will not go down well.
Now that Node supports ESM, I hope this year will start seeing more migrations, but it will be at a glacial place because the ESM<->CJS compatibility remains extremely brittle (among all bundlers, and for Node+Browser usage). If you are writing a greenfield small library you can make it work. But it will be a long time - if ever - before we see things like @babel work.
As for migrating to Deno: you probably will not be able to do this because most NPM packages will not run in Deno out of the box. Your build pipeline almost certainly relies on libraries like gulp/sass/globby, and those projects will need to be ported first (or made compatible by their authors).