[_pmf_]

Maven/Gradle don't allow un-namespaced packages; nobody knows for sure how deep up their arse npm's designers have had their ass when they made non-namespaced packages possible (even the only way in the beginning; I don't know if it's still the default).

Additionally, there's the problem of npm's fine-grained dependencies (that have become a laughing stock in itself), in my Java large projects, while I don't know every single dependency, I know all the "vendors", i.e. trusted upstream namespaces I use, and their transitive dependencies. There's the occasional non-Eclipse, non-Google, non-Apache dependency (say, XStream), but I am aware of it and fix it to a specific version. npm with its thousands of dependencies by hundreds of pseudonymous developers for simple projects is an abomination.

[vbrandl]

`Crates.io` (the Rust package ecosystem) doesn't have namespaces and operates after the first come first serve principle. They won't resolve namesquatting issues so something like the left-pad debacle won't happen. I think their policy[0] is quite sane. At least I'm not aware of any issues of that kind regarding crates.io.

For typosquatting: I don't think that problem can be easily solved by package registries. They could warn you if there is a package with a similar name (and more votes, downloads, what ever) but aside from that, the developer should double check the dependency names and that's it.

[0]: https://crates.io/policies