1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc.
I call apples and oranges.
AIUI, (and hell, I try and keep clear of all this shit) Web 2 "design" loads shit dynamically from places all over The Interwebs. So if any of that breaks, your website/app iimediately breaks.
It hardly needs saying that RedHat/CentOS/Debian/Ubuntu package management works nothing like this.
For starters, the packages aren't dynamically loaded. And it's all cryptographically signed by the distributor and verified on installation. Does your website demand that the browser does that with every Random Piece of Javashit that it grabs ??
I could go on....