It just so happens that all of those languages share the worst design points, such as the need for a package manager at all and the classic "eval and equivalents run arbitrary code".

>All package managers have the insane security model of "arbitrary code execution with no constraints".

Not all of them, just the most popular ones for these highly sophisticated, well thought-out bunch of absolute languages.

I tend to agree but think npms post install hook is a degree worse. Triggering during install, silently because npm didn't like someone using the feature to ask for donations, is worse than requiring you to load and run the package code.