[igolden]

To all replies of this comment - it came off wrong. I didn't mean to "sling shit".

I was referring to the 'event-stream' incident in which the package maintainer unknowingly passed it off to a new malicious maintainer (he has 100s modules). The farcry between the two was that the original maintainer basically wiped his hands clean from incident, whereas in this _specific_ scenario the maintainers of 'bootstrap-sass' offered suggestions on how to improve the security and prevent similar events in the future. I was impressed by the prompt and professional response by the maintainers, that's all.

That being said - I generalized my comment too much, and I agree with zer01 that npm and bundler communities are very comparable and both do a great job.