Maybe language based package managers aren't great. Also, npm has design decisions that make it especially prone to supply chain attacks iirc

JS apps need more direct dependencies and transitives to do basic things vs. other languages.