node/npm -- the new php
I'm one of those ultra cynics who consistently refused to let PHP on any internet facing server back when I was working on, and had a say in, such things.
Today I consider the node ecosystem to be just as bad in terms of the effort required (not just one time but on an ongoing basis) to keep it secure.
And I don't think I'm alone. I've often found comments on reddit and elsewhere, where, if someone posts a new tool in nodejs, will respond with "Uggh, node!" or "Node? No!" or similar. This is especially true for apps which don't really need to be written in JS (i.e. could have been written in any other language), although I cannot say if those comments are also driven by security concerns or just a general dislike of JS.