For the last 2 years PyPi (main Python package repository) requires mandatory 2FA.

Last time I did anything with Java, felt like use of multiple package repositories including private ones was a lot more popular.

Although higher branching factor for JavaScript and potential target count are probably very important factors as well.