No. "Always downloading random code and hoping" is not the only option. Even w/ the supply-chain shitshow that the public npmjs registry has become, using pnpm and a private registry makes it possible to leverage a frozen lockfile that represents the entire dependency graph and supports vulnerability-free reproducible builds.
EDIT to add: Of course, reaching a state where the whole graph is free of CVEs is a fleeting state of affairs. Staying reasonably up-to-date and using only scanned dependencies is an ongoing process that takes more effort and attention to detail than many projects are willing or able to apply; but it is possible.
This. It would be a partial improvement. A greater improvement would be rewriting it for native per platform, conscientiously sandboxing plugins, and minimizing the supported "js" language with a strict subset that doesn't allow arbitrary file, network, or system operations unless signed and approved entitlements are granted.