It's now evident that node.js modules and npm are a programming antipattern. Actually, not just node.js modules but all modules in any programming language that are installed over the internet via a package manager are an antipattern.
Here's why.
You create your project, all is good. You depend on a bunch of modules that you need. Each time you deploy, they get pulled in from a module/package registry. So far so good. Time goes by, half a year passes, a year passes, and suddenly when you deploy again everything breaks because someone sold their package to crypto currency miners, or someone just got upset and deleted their package, or someone published an change that's inconsistent with the current versioning scheme. Suddenly your app is no longer deployable and you have to spend countless hours fixing these nonsensical issues that you wouldn't have had in the first place had you simply written your own tiny module for the task at hand or had you simplified the dependency and copied it to libs/ folder or vendor/ folder of your project.
This nonsense with broken packages has now happened to me dozens of times and it's clear that you should never be doing "npm install" or "pip install" or any bullshit install during a deploy. All your dependencies should be in the vendor/ folder of your project in your master branch. This way, your master is always working, your master is god, it's always deployable, and you don't risk running a crypto miner on your production server.
Always vendor your dependencies and see you next time!