I don't accept the idea that it would significantly slow down the spread.

How often do you run "npm install" just for the fun of it, without actively working on the codebase?

IME 99% of the time the time between "npm install" and some form of execution that pulls in dependencies is less than 30 seconds.