They are not, but npm is uniquely bad in that regard. Refusal to implement security features that would have made attacks like this harder really doesn't help https://github.com/node-forward/discussions/issues/29

You could write most of the cli tools using stdlib in python and go, without need for including hundreds of libraries even for trivial things.

yes obviously.

isn't it obvious?

it should be obvious.

why isn't obvious?