> And to be fair 2: The other package repos also suck.

If you mean other languages, then yeah a lot of similar issues and weirdness there as well. Maven dependencies in any complex project are a "fun" challenge as well.

Though the sort of recurring supply chain attacks you see within the npm ecosystem is something I haven't seen elsewhere to this degree.

Yeah, but the azure supply chain attack explains why all of a sudden they can make this change.

It seems that if you want to get something important changed in npm, you simply need exploit some of its short comings against Microsoft instead of discussing why it’s necessary.

To be fair, the entire problem space sucks and I’m not sure it’s possible not to.