Language exclusive package managers like this are nightmares for security, but npm simply does things so poorly I feel like they wanted something insecure.
That isn't a language exclusive package manager. I mean things like npm and pip. It isn't necessarily that they're language exclusive, it's that they all tend to have features that aren't good security wise because they aid in developing in that language