It sure would be a real bummer if some hot shot programmer on a bad day inadvertantly left a backdoor open in the code.
Can you imagine the ransomware claim? What a horrible situation to have to deal with.
I really hope this kind of thing never happens, but last time I built an NPM package (think latest and greatest) I was besotted with all kinds of build messages from saving the whales to donating to hungry programmers.
I'd be much happier having a human up front with an override button to effectively reduce all this autonomous effort to zero when needed.