~ some guy on the internet, July 2020
it's ridiculously easy to upload npm packages, which leads to people creating dependencies for things like checking if a number is odd. Compartmentalizing things into reusable bits isn't really all that bad, but for some reason npm takes it to the extreme.
Part of the issue is that npm installs dependencies per-package, meaning you can have 20 duplicates of the same package in a project's
node_modules folder because you, somewhere down the line, have 20 unique packages that all have the same dependency. I hear npm sort-of has some dedupe to prevent this, so maybe these thoughts are misguided.
Python/pip, on the other hand, installs dependencies per-virtualenv (or globally if you don't use a virtualenv), which can have some issues where package x depends on an updated version of package z, but package y doesn't work with the newer versions of package z. This, in my experience, is very rare, and when you require a specific package version it's probably because you're writing production code that's intended to be in a virtualenv anyway.
It also helps that Python's standard library is pretty comprehensive, and only getting larger.
Trying to track down and fix vulnerabilities in dependencies of dependencies of dependencies [... etc] is the crustiest thing I've ever had to do in any programming language, and I'm not happy to say that it was one of the easier fights I've had with npm/yarn.