The project authors probably don't even know what libraries their project requires, because many of them are transitive dependencies. There is zero chance that they have checked those libraries for supply chain attacks.

This is the best reason for letting users install from npm directly instead of bundling dependencies with the project.