I think everything you're saying about the difference between school shootings and NPM supply chain attacks is correct, but at the same time "You made a joke about why A is like B, but here's why A and B are actually different, therefore the joke is not funny" is not persuasive. Comedy does not need to be rigorous, the person you're replying to is not arguing that supply chain attacks are like school shootings, therefore open source programmers should do active shooter drills. That would be fallacious reasoning.

It's literally just a joke. If it tickles your fancy, it works for you. If you get lost in the weeds of comparing the socio-political mechanisms of open source to guns, or note that supply chain attacks happen to other package managers, the joke won't work for you.

I assure you, it works just fine for me even though yes I think it would be ridiculous to claim there's anything more to the comparison than, "This thing keeps happening, nobody thinks doing anything about it is worth the bother, so look at that, it keeps happening."

I chuckled, too, but I’m a Python developer and it’s not like this doesn’t happen there either. If you want the shorter version: “laugh after you’ve hardened your update process”.