Packages downloaded from NPM can fetch dependencies from untrusted sites.