[zer01]

Yeah if you're going to sling shit like this, link to your sources. I've handled incidents involving both ecosystems over the past year and they're pretty comparable.

NPM also bought a security company (https://blog.npmjs.org/post/172793182214/npm-acquires-lift-s...) and integrated NSP directly into NPM in the form of `npm audit`.

Ruby/Gems has `bundler-audit`, which is equally good, but a separate project with a looser integration.