Discussions seem to be overly focused on Dominic's role/responsibility, or the reliance on unpaid open source contributions, when the root is clearly a systemic issue with the Node ecosystem.
The nature of NPM is such that I'd expect most large corporate Node software to depend on at least a couple of single individuals' hobby projects. The problem is that those projects don't tend to fulfill the same expectations of security, quality and maintenance.