At least python and go packages don't execute arbitrary code on developer's workstations at install time. If you pin dependencies to a known safe version, then you're relatively safe.
With NPM, just typing `npm update` can pwn your workstation.
What is the fundamental difference between pip and npm here? `pip install` will run whatever is in the `setup.py` of the package (and recursively do the same with any dependencies). That is essentially arbitrary code execution, no?
This feels more like a numbers issue than a fundamental difference, i.e. Python packages generally have orders of magnitude fewer dependencies than JS ones because the standard library is very extensive. Most dependencies are major libraries rather than small ones, which are much less likely to be compromised.
For Python this is only true for wheels packages. Source packages may execute arbitrary code in setup.py during pip install (compiling C code for example).
With NPM, just typing `npm update` can pwn your workstation.