I’m not sure language package mangers were a good idea at all.
Dependencies were supposed to be painful.
If the language needed some functionality built in it was supposed to go into the standard library, I understand that for JS this isn’t feasible.
It is not package managers. It is due to the poor NPM ecosystem: lots of crappy packages (like left-pad), auto updates, lots of dependencies, post install scripts, insecure language.
These security problems happen much less often in other ecosystems. There is nothing even remotely as bad as NPM.
There was a very similar discussion on lobsters the other day. You might be interested in reading it.
In general, I agree with the idea that writing everything yourself results in a higher quantity of low quality software with security issues and bugs, as well as a waste of developers' time. That said, clearly supply chain attacks are a very real threat that needs to be addressed. I just don't think eliminating package managers is a good solution.
