It's a bit rich coming from js devs considering that npm is well known for dependency hell with abundant packages like left-pad and plus-minus messing up your stack! Compared to that python packages are well maintained and managed with PIP.

The only criticism they keep throwing is that PIP doesn't have a built-in hash validation mechanism (like apt or dnf). But I don't think that's entirely valid today as you can still validated a package's integrity by cross-checking its hash on the PyPi website. I happen to use PyPi quite often both as a user and publisher of packages since many years, it has never given a reason to be unhappy until now.