But how will marketing determine the effectiveness of their efforts if I don't "just add a single line of code" for every social media company to our website? </sarcasm>

It is even worse than that. Google nowadays still uses this argument telling you that only this way they can optimize your ad placement towards Conversions.

While at the same time telling you (in their documentation) that due to script blockers and gdpr they just estimate (using more fancy terms and talking about ML & AI) the Conversions they report (and use for optimization).

They basically tell you: Trust us - we estimate your success in the best of your interest. As if they were a neutral party in that equation.

Laughs in node_modules

We're too busy to worry about laughing, need to optimise for new behaviours not redesigning the laugh. </S>

True, npm packages are a risk. However, I think that there is a big difference between using npm packages and loading javascript from a third–party domain: with an npm package, you can inspect the source. If you don’t like what you see, you can avoid the package. I’m sure that most developers fail to do so, and just blindly trust that the package will do what it says and nothing else, but at least the opportunity is there. If you load javascript from a third–party domain you lose that opportunity, and all hope of keeping your website secure and your visitors privacy intact.