As someone whose worked with React/Angular/Svelte/etc for the past 5-6 years, the biggest benefit and the biggest hurdle to these frameworks is the complexity. The complexity in these frameworks has resulted in us being able to build massive complex applications, but if not done with the proper level of care, that application will be a performance crap sandwich.

And that I would say is the biggest problem with these stacks, they are incredibly powerful and can get you places but you have to know how to use them! If you are an experienced web developer you should be able to pick up these frameworks and run with them. But the problem arises when you have a team made up of a number of Sr developers along with Mid/Jr devs. The Sr devs might know all these footguns and hurdles, but the Jr's/Mid's might not. With a small team this gap in knowledge can be effectively managed but the issue really becomes apparent when you have multiple teams, all with the same makeup.

But say you are building an app with a very experienced team and don't run into the knowledge issues above, well you can still have issues depending on your vendors. In this case I'm talking about say a chatbot or some other integration into your app where the vendors team wrote said code. In this case you have the same issue where you can have the most experienced devs on your team, but if the vendor wrote some crap code, you're going to have issues in your app.

All of this is to say, applications have just become massive recently, and managing that complexity and making sure your application stays performant gets harder and harder.

And there are a number of vulnerabilities with those packages, which are not being fixed. I think NPM should remove any package that are not maintained or have severe (any?) vulnerabilities. IMO, we have too many packages,some restriction to publish will be good.