Re: Review changes to 3rd party code
the asylum isn't being run by the neckbeards cosplaying as lumberjacks.
What? Do you understand remotely what you are talking about? Composer is clearly based on NPM (composer.json is package.json, composer.lock is package.json.lock), and from browsing packagist, seems to have as many shit code as any other package repository that anyone can publish to.
Python's packaging is actually excellent, from old, bad tools like easy_install, pip is an excellent installer (do 1 thing), and there are interesting package dependency management tools like pipenv and poetry.
Similarly, npm is not good at package dependency management, which is why no-one really uses it now - they use yarn.
Really, with any language, how you get the packages isn't really relevant. npm, pipenv, poetry, yarn, composer all fetch packages from the net and include them in your project, so what you're really should be interested in is whose code am I using and how much do I trust them. Languages which have high use, in multiple spheres, tend to have higher quality packages. I'd rather use Kenneth Reitz's requests than I would some PHP clone.
Note that I'm not saying PHP is shit*, but that because it is a language only used by people who slap together websites, it cannot compare (in ecosystem quality) to a general purpose language like Python, that is used for web shit, big data, sysops... basically everything.
* That happens here. PHP is shit.