In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I’d be more concerned.
Canonical and Debian both target the professional server space. I’ve spent pretty much my entire career working on Debian-based distros.
Hell, the one company I worked for that I expected to use RHEL used Ubuntu for everything, so 🤷♂️.