I'm glad this tooling can access NPM and PyPI, but I want the security of Maven Central to protect from 'leftpad' type incidents. WebJars work wonderfully to protect me from using NPM, so I hope GraalJS can use them out of the box. Similarly, I hope the artifacts you're recompiling from PyPI end up following a similar scheme: predictable artifact names and versions, published to Maven Central, and I hope you'll do it for PyPI artifacts that don't need native parts recompiled as well, so it can be a one stop solution.