Comment by p-e-w
6 hours ago
With the recent high-profile attacks on PyPI packages, it’s no longer true that npm is the “only package manager where this regularly happens”.
In fact, pip is much more dangerous than npm because it lacks a lockfile. uv fixes that, but adoption is proceeding at a snail’s pace.
UV adoption is happening, though. NPM is still the only name in town.
Huh ? uv is a package manager not a registry.
In JS world there is plenty of competition for package managers pnpm/ yarn/ burn all viable alternatives to npm the package manager.
Public registries for languages tend to coalesce around one service . Nobody wants to publish their library to 4 different registries .
Apparently it does now: https://packaging.python.org/en/latest/specifications/pylock...
https://pip.pypa.io/en/stable/cli/pip_lock/
But who cares about pip, uv is here.
I don't know about snails, but everything I'm in contact with has moved over to uv, and I can't imagine I'm the only one.
[flagged]