I wrote two comments[0][1] on Reddit about this, but I think there's a bit of JS-bashing happening here since a lot of the issues described here are relevant for many other package managers other than NPM.
There are notable problems with how modern software is built with deep dependency graphs and the potential supply chain attacks that are possible because of this, but none of that is exclusive to NPM. NPM has a preference for small single purpose packages and JS is massively popular which might make this problem worse, but it's a problem for a lot more communities and languages than JS/NPM.
The problems mentioned are relevant to other package managers and languages, but they’re obvious problems that other package managers solved 20+ years ago.
Even the ones that haven’t solved the underlying problems have done substantially better jobs mitigating them than NPM. (pip and docker hub are the only counterexamples that come to mind).
> The problems mentioned are relevant to other package managers and languages, but they’re obvious problems that other package managers solved 20+ years ago.
Which package mangers and how? The ones I can think of[0] and are familiar with suffer from the same or very similar problems[1].
0: Bundler, Cargo, CocoaPods, Composer, Pip(to a lesser extent)
1: Name squatting, typo squatting, malicious versions via compromised accounts/publishing credentials, compromises to the delivery infrastructure(AFAIK NPM protects against this with the integrity field in package-json.lock)
More to the point, if a package maintainer turns malicious, as it appears was the case here, none of the changes this article is suggesting will help at all.
2FA means nothing if you can't trust the person publishing the package.
Compare and contrast with a modern design, like Nix. npm's conception of packages as named, owned, versioned, published, etc. is all window dressing around an inherently-faulty set of assumptions.
There are notable problems with how modern software is built with deep dependency graphs and the potential supply chain attacks that are possible because of this, but none of that is exclusive to NPM. NPM has a preference for small single purpose packages and JS is massively popular which might make this problem worse, but it's a problem for a lot more communities and languages than JS/NPM.
0: https://www.reddit.com/r/programming/comments/cjnoqi/no_way_...
1: https://www.reddit.com/r/programming/comments/cjnoqi/no_way_...