> for example the stream of issues from npm et al.

Curious, what distros where affected by npm supply chain attacks?

It's npm that's affected, therefore it's not even considered when choosing language/ecosystem for writing distro tools. You'll find no sane distro writing package manager in javascript precisely to avoid this joke of a supply chain.