| Mechanically, I believe the main difference is that NPM corresponds to PyPi + pip; it's both registry and repository. PyPi is Python's official package repository and pip's default source, but it's not pip's only possible source. If someone pulls code off PyPi, pip can still link to it elsewhere. When the left-pad debacle [1] broke major packages, the triggering event was that NPM-the-registry took a module name away from a developer and gave it to a company (which held it as a trademark). He got mad and took all his code off NPM-the-repository, including left-pad. To settle the chaos, NPM had to restore the deleted code against the developer's wishes - even though his code was still available on GitHub. Realistically, though, that would still cause some chaos and it doesn't seem to be the key difference. The more important differences are legal and practical. npm, inc. is a private company, while PyPi (via Warehouse) and pip are both open-source and donation funded. Even if npm doesn't get up to anything malicious, they depend on keeping their registry and repository unified, and they're more likely to attract and buckle under trademark suits than PyPi. Even more importantly, npm modules are tiny. PyPi packages and Ruby gems may be single-purpose, but they usually do something which isn't completely trivial, and common functions like math libraries are built into larger packages. npm left-pad was 17 lines of string-padding code that almost anyone could write. Other modules are even sillier; isArray has millions of weekly downloads for what is effectively a single line of code. Blank npm templates have tens of thousands of files loaded even before you start coding.[2] So fundamentally, a big part of the issue is just that node projects tend to pull in 10x or 100x more dependencies than most other projects. [1] https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ [2] https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how... |