Larger projects tend to have more dependencies too, so why not rail against large projects?

Because there will be fewer of them.

Fewer packages? Who is to determine the optimal number of packages? Not sure how that benefits anyone. I hesitate to accuse you of trolling but your argument does not seem all that coherent.

It's pretty simple: the more dependencies there are, the more upstream authors you have to trust.

That assumes a lot. My code may utilize one dependency that itself utilizes a few dozen useless ones. Whereas someone else may carefully choose 20 dependencies, none of which include any dependencies.

The issue is measuring the trustworthiness of a dependency, and recursively doing that operation throughout the dependency graph.

Simply focusing on the number of dependencies or the size of a dependency is silly.