Not a silly question at all. I wouldn’t consider it a problem. If an npm package had a known vulnerability in the browser, the enemy isn’t someone reading your network requests and seeing that you use it. As a hacker, I’d find a unique string for that package in the bundled JS and send out a bot to check a few million sites.