With the recent high-profile attacks on PyPI packages, it’s no longer true that npm is the “only package manager where this regularly happens”.

In fact, pip is much more dangerous than npm because it lacks a lockfile. uv fixes that, but adoption is proceeding at a snail’s pace.

UV adoption is happening, though. NPM is still the only name in town.

	▲	manquer an hour ago \| parent [-]
		Huh ? uv is a package manager not a registry. In JS world there is plenty of competition for package managers pnpm/ yarn/ burn all viable alternatives to npm the package manager. Public registries for languages tend to coalesce around one service . Nobody wants to publish their library to 4 different registries .

esafak an hour ago | parent | prev | next [-]

But who cares about pip, uv is here.

fragmede an hour ago | parent | prev [-]

I don't know about snails, but everything I'm in contact with has moved over to uv, and I can't imagine I'm the only one.