But on the other hand, getting a library into debian so users can eventually install it is also a somewhat big and lengthy process that takes time (and rightly so), compared to npm et al which amounts to "npm publish" and you're done basically.
Don't get me wrong, I'm not saying one is better/worse than the other, but there are tradeoffs that not everyone is willing to make. I personally prefer the slower more intentional/reviewed option of package repositories like debian and arch, but things like npm/pypi/aur has their uses too.
>getting a library into debian is also a somewhat big and lengthy, compared to npm et al which amounts to "npm publish" and you're done basically.
Which is a good thing. It's not like npm skiddies use this agile process to revolutionize the industry with AGI, they do left pad and a different framework every week.
except how "reviewed" is it? You maintain a package for years to gain trust and once you become trusted, you've introduced a backdoor that most people won't know about.
If you reduce your dependencies, you start appreciating the OS ecosystem, they don't always have the latest versions or all the newest packages, but it's stable and lacks vulns.
All of this is proper of a foundation layer. So as a dev you find that the first dependencies to go are at the app layer, and all that is left are OS dependencies.