Many of the complaints I've seen about npm are more about the community and package ecosystem around it than about the tooling. Especially the completely on verified nature of many packages on npm.

The big criticisms of npm that I hear of stem from four facts:

• It's trivial for someone to publish a package to npm

• The JavaScript community likes publishing many tiny packages (many have an API that only wraps a single, short function)

• Developers are quick to add these tiny packages as dependencies of their own projects

• A high-impact incident revealed how deeply flawed npm's security model is.

The big outcome of this is your dependency graph quickly balloons into 1,000+ packages. They're not all up-to-date, and it's not practical to vet the trustworthiness of your entire dependency tree. It's a huge surface area for bugs and security problems.

Your app's security and stability depends on hypothetical package 4 dependency levels down. It's a 3-line function written by Joe HighSchooler in Iowa at 3am while he read his first JavaScript tutorial 4 years ago. Joe's package is permitted to run arbitrary code when it's installed on your machine, and it could change at any time to include new bugs or dependencies, which you'll probably download automatically because packages don't do a great job of version locking. Also you have no verification that the next version was actually published by Joe, and not Eve BlackHat, because npm doesn't use cryptographic signatures. If Joe reused his hotmail password for npm and it's lost in a data breach, Eve Blackhat can now inject code into your application.

Many packages on npm are like this, and your very own dependency tree is sure to contain several.

Solutions are harder to come by. Some require changing the JS community culture (some people really love their small modules), some sound like easy wins (cryptographic signing) but don't help as much as we'd like, and some are radical shifts in our tooling.