To be pedantic, it's not npm itself that's the problem, it's the fact that everyone and their mom is publishing a new package for every trivial function, leading to dependency trees that are a mile deep and a security nightmare waiting to happen. Source?