Maybe language based package managers aren't great. Also, npm has design decisions that make it especially prone to supply chain attacks iirc