Those same points (but the NodeJS/NPM version of them) is a lot of why that ecosystem is having security and reputation issues as well.