Idea: Create a @nuxt/deps package with locally distributed cached versions of all Nuxt's dependencies. This way, if a Nuxt dependency gets compromised with a patch release on NPM, Nuxt users won't be immediately vulnerable.

We would need to write a script to update and cache the distributions.

Bonus point: fewer network calls during a fresh install.

Basically we want a script that parses out yarn.lock, downloads distributions and builds a new package with them.

I think this just a matter of locking dependency versions and not using the range if such security is important. Making nuxt zero dependencies would be a good approach but bundling webpack related deps is not practical (at least easily).

Extra point: This is how NPM ecosystem works indeed. It is healthy and fresh because of sub-packages being implicitly updated on fresh installs and ranged deps.

Also see yarn offline mirror if interested keeping local version of tarballs from lock file: https://yarnpkg.com/blog/2016/11/24/offline-mirror

Facebook internally keeps a copy file packages for faster CI.

Clarification: We did this experiment for nuxt3 by using vercel/nft but final result wasn't shiny since it produces a really big npm tarball, requirement of manually creating zip instead of npm publish (since npm ignores node_modules for adding to package) and other workarounds which makes less compatibility with npm ecosystem...

Also from nuxt@2.15 (currently via nuxt-edge) we support pnp package managers out of the box which allows zero install usage but it also means it is less possible to inline/pre-pack all dependencies

2024 - I am thinking about it, now!