> Debian IS more cautious with dependencies, in that you won't get hidden dependencies that aren't in the repos.

For a definition of cautious I don't personally share.

Debian doesn't vet packages. Debian maintainers are less competent than the "upstream" they question approximately all the time, which is why they keep breaking stuff in more or less severe way (OpenSLL anyone?). And let's not even talk about the insane stuff like when maitainers decide to support a fork they like instead of the piece of software users actually want (Libav anyone?).

> If not, then I'm not interested.

And that's your choice. That doesn't mean developers should care, nor that it is actually a good idea.

Eventually, someone must take source code and build and package the software.

When it's Debian maintainers, one at least knows the rules they are operating by. For random people on the internet, it's usually more difficult to evaluate, vet them, and trust what they are doing.

Of course, I don't know you personally nor any software package that you are releasing so this is not an observation directed to you.

Competent is one thing, malicious is another.

I can agree that debian maintainers are generally more incompetent, but they do actually vet dependencies for conforming to Debian ideology.

Upstream may be developing malware, they may be adding telemetry or ads. So if we just allow them to install 500 node packages that we don't know what they do... That's suspicious. That's asking for trouble.

Debian keeps a tight control on its supply chain. Its not perfect or bug free - but, it is within Debians goals.

So if you want a free distro with almost completely free sources, then Debian is really one of your only choices.