> they just move slower so it’s not as attractive of a target.

Well, there’s other things. Maven doesn’t allow you to declare “version >= x.y.z” and doesn’t run arbitrary scripts upon pulling dependencies, for one thing. The Java classpath doesn’t make it possible to have multiple versions of the same library at the same time. That helps a lot too.

NPM and the way node does dependency management just isn’t great. Never has been.