"1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc."
Better package managers, like NuGet or Ruby Gems, don't allow users to delete their packages once they've been published, precisely to prevent the problem that has happened here on NPM.
Of course even with those you still have the risk of your dependencies disappearing due to legal threats or other special circumstances. I've never really felt comfortable relying on pulling my build dependencies from a package manager, even if it is the recommended model with the likes of NuGet.