But that specific incident had nothing to do with using a VCS for packages? He removed left-pad from npms index, the code behind it was still online. Or did you mean more generally in a "single point of failure/removal" sense?
When you have a system where an individual can remove one item in a vast dependency tree where no one has central oversight you create risks like this. This also says a lot about relying on external dependencies like there is no tomorrow, but the point is still valid. I can imagine a thousand ways to break a system like this.
Apart from that, version control systems are optimized for controlling versions, not delivering static content.
