Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!