Not a month pass without something going wrong inside of inc, millions of developers are dependant on it but nothing seem to worry people...
See also Entropic as a possible alternative to NPM: https://github.com/entropic-dev/entropic
Basically most of the top developers have left the company, others were laid off. It seems to be only a matter of time until none of the people working on npm a year ago remain.
When the left-pad debacle  broke major packages, the triggering event was that NPM-the-registry took a module name away from a developer and gave it to a company (which held it as a trademark). He got mad and took all his code off NPM-the-repository, including left-pad. To settle the chaos, NPM had to restore the deleted code against the developer's wishes - even though his code was still available on GitHub.
Realistically, though, that would still cause some chaos and it doesn't seem to be the key difference. The more important differences are legal and practical.
npm, inc. is a private company, while PyPi (via Warehouse) and pip are both open-source and donation funded. Even if npm doesn't get up to anything malicious, they depend on keeping their registry and repository unified, and they're more likely to attract and buckle under trademark suits than PyPi.
Even more importantly, npm modules are tiny. PyPi packages and Ruby gems may be single-purpose, but they usually do something which isn't completely trivial, and common functions like math libraries are built into larger packages. npm left-pad was 17 lines of string-padding code that almost anyone could write. Other modules are even sillier; isArray has millions of weekly downloads for what is effectively a single line of code. Blank npm templates have tens of thousands of files loaded even before you start coding. So fundamentally, a big part of the issue is just that node projects tend to pull in 10x or 100x more dependencies than most other projects.
I don't live in NodeJS world but even I heard about package Left-Pad, that all it does is padding string from the left side. The author decided to pull it out from the repo rendering tons of other packages nonoperational.
Though ES2017 added a number of string operations, including String.prototype.padStart.
In the Python world, it is indeed likely that unpublishing requests will cause issues, but the number of dependencies you'd need to audit/vendor is _much_ smaller for a typical python app than it is for a typical nodejs app, so your "attack surface" is also comparatively much smaller.
The result is that a lot of "simple" functionality that most languages would put in the stdlib (left-pad is the most infamous example) has to be reimplemented by library developers. Now because programmers are for the most part not interested in copying the same code over and over, this means that these simple functionalities end up on the npm, which are then used in somewhat bigger libraries, right up until you essentially create a massive dependency chain for each major library, since the dependencies for that library rely on other dependencies and so on so forth.
This sounds interesting in theory, but in reality this almost always means that if one thing in this chain breaks (for example a "simple" library introduces a breaking change but doesn't properly adhere semantic, since nobody enforces semantic on the npm although it's recommended), essentially the entire chain is broken and the top level library stops functioning as well.
And then you end up with packages such as left-pad, which provide simple functionality that is almost universally needed for almost all major libraries. Now the last thing you want to have happen here is that the maintainer either removes or breaks the package, since this essentially results into a dependency hell cascade as suddenly several millions of packages are broken.
Python on the other hand has probably one of the biggest standard libraries I've seen in a programming language, and the difference is outstanding. Most PyPi libraries are moreso focused on adding specialized features or simplifying otherwise lower level libraries into more higher level ones (ie. requests is really nothing other than a really good wrapper around urllib). There's very few "simple functionality" libraries for PyPi, since most of this functionality is already in the standard library. Usually if a library that is "simple functionality" isn't in the standard library, it's because it changes too often (standard library is mainly for unchanging code. eg, requests) or is still somewhat specialized (ie. sqlalchemy or a couple of validator packages I use).
There's pro's to Nodes approach (ie. you're generally not locked down to a single approach), but generally Pythons approach on library management is better in my opinion.
Privately hosted npm repos, checked-in to version control systems, etc.
There are plenty of solutions if you don't like npm. However, they carry the traditional costs of managing dependencies; if you want super super super easy above all else, that's what npm does.
There are lots of practical answers - PyPi is open source, Python packages aren't so fragmented, and so on. But honestly, a huge part of the difference is that PyPi has sponsors like PyPi and AWS using its baseline implementation. NPM's private repository system means the public system just doesn't have that kind of pressure on it.
What if a minor version change contains a relicensing of the library, for instance?
I guess my broader thought was that PyPi is a more reliable free offering than NPM because it's not focused on a 'premium' version for the biggest users. But that's different than AWS - presumably they're sponsoring it in a broader "making development accessible is good for AWS" sense.
Even if you avoid it by creating your own utils, chances are that the creators of the large packages you use (like a database manager or a rest framework) will depend directly or indirectly of those third party tools.
The problem is that there's no good fix or alternative, it's hard to avoid a single point of failure.
For example Frea. It's a conservative approach for incrementally federating the package registry and you can start using it today. It's ready for all your traffic.
how it works: https://docs.google.com/presentation/d/16pxrYfpxxKRzhpMM0zZV...
- its CTO
- its COO co-founder
- a federal labor dispute
- its culture
- its reputation
- its business model to Github
But let's see how Entropic and GH package registries turn out.
Typically: to enhance their offerings, remove a competitor, or shut it down.
No C-level exec resigns "effective immediately" without either a transition plan in place or something concrete lined up. I get wanting to allow him to say he resigned instead of he was fired, but the silly language of the press release just makes it worse.
Because it's not a soap opera and you're not owed anything about the personal business of other people. As an individual, I have every right to control the narrative for why I've left a company (assuming nothing illegal).
I know it's standard business procedure to outright lie about these things but it becomes farcical when you basically sink an entire company and then get to "resign" and pretend it's not because you did a terrible job.
Only if it's a recurring issue. People can be a horrible contributor at Company A and a rockstar at Company B - should my entire future be anchored because of a single event? No thanks.
> I know it's standard business procedure to outright lie about these things
This is just silly. It's no different than how anyone reacts in any non-professional setting. Do you tell everyone in your life about every fuck up you make? So why expect that from our professional peers?
As a parent of two very lively small boys, I can say that "enough time with family" is a thing.
Retires from head football coach at University of Florida.
"I know it is time to put my focus on my family and life away from the field."
Becomes the head football coach at Ohio State.
I say this as a bitter Gators fan.
"Man I hate this place because ____, and I'd rather spend time with my family."
That doesn't preclude wanting to do other things too.
From the Register...
"According to people familiar with the matter, Bogensberger was asked to leave by the company's board of directors." 
For more context...from Jonathan Cowperthwait, NPM's former vice president of marketing...
"Many of us spent the last year watching our friends and colleagues' struggle through our fingers, but I'm still profoundly confident in the company's ability to turn this around. Sometimes bad executives happen to a good company." 
I only made it through the first ~10 tweets before clicking out, so maybe there's something I'm missing further in the thread. But to me, it just sounds like what you'd expect from someone being laid off.
It's a little weird that he didn't have a manager who would wish him well on his way out. But that's about it. The bit about a severance with a non-disparagement contract is absolutely standard, not out of the usual whatsoever (especially for a VC backed company like NPM).
That's a very common thing, laying people off in an insensitive manner. Lot's of companies (even big massive successful companies) do that all the time.
That doesn't make it right, but, whatever the reasons their board had for letting go of their CEO, laying people off in an insensitive manner is unlikely to be among them.
This article about union busting https://www.nytimes.com/2019/07/08/technology/tech-companies...
and this one about working conditions at npm https://www.businessinsider.com/npm-employees-open-letter-20...
or The Register who covered mostly everything that happened since the first layoff mentioned in my Twitter thread https://www.theregister.co.uk/2019/04/22/npm_fired_staff_uni...
But I know there are some boards of directors out there, who would view the ability to bust unions (and get away with it) as a reason to hire, not a reason to fire.
I don't know why they let go of their CEO. I wouldn't assume it was necessarily for any of the reasons you mentioned. It certainly could have been, but it also could very easily have been for completely unrelated reasons.
I wasn't mentioning those were the reasons, but that those were part of what happened in the last months.
This is a textbook example of if (when!) you get let go you should strongly consider an internet moratorium.
Count for this reply: 9
Often his replies are just "Thanks" style... But you know with him it's a very considered reply despite the terseness.
I'd suggest that such copious tweets (& follow up comments here) may very well harm future prospects... As you sow you reap. You need to learn to let things go: particularly in tech.
It's great that you like your (former) fellow employees: make friends with them and network with them. Alternatively, if you wish to make political actions, then undoubtedly you need to be more impersonal: just like the people who were tasked with outing you.
The fact that I shared my story like I did and doing now was beneficial on all levels for me. I stayed true to my principles and values. I was approach by companies and managers who have the same values also. It helped me go back on my feet emotionally and professionally way more quickly.
My personal take is that whatever you do, no matter if it's about deciding to not care or not say anything, or being vocal, stay true to yourself, and be proud of what you share.
Edit: linked article says the case was settled in June. 
npm can't handle security, and they have been sorely in need of new leadership for years.