Open-source or not, this is surely an obvious choice.
Seeing projects (typically web) pulling in hundreds, if not thousands of dependencies from PIP, CPAN, crates.io, NPM, etc always makes me cringe.
Did anyone ever think this was not going to result in a security issue (and other technical debts). Especially in network related software it seems particularly mad.
Maybe open-source is getting a bit of flack because this kind of development style is less common with proprietary software. No language based package managers just for close-source for example.