because generally projects like these have some opinionated person who is maintaining it, which actively blocks "get the ssh-keys"-patches. compare that to the 100+ dependencies of your typical node-package.
Having many dependencies can be a problem. And the node ecosystem is a total joke.
But if the question was why not split it up into smaller files (which it was), then that's nothing to do with the number of dependencies or the number maintainers. My point is that auditing a program with no external dependences doesn't get any easier if the code is contained in one file or across ten.
