doesn't fix the issue
of the lazy/broken development model. It took me probably less than 5 minutes to determine NPM was a raging pile of shit when a developer first introduced it to me what seems like 3 years ago now. The fact that the things seem to be constantly breaking and needing bleeding edge versions is bad enough, the auto dependency stuff is of course terrible as well.
My org's latest foray into npm involved having to build a new version of GCC in order to even get the newer NPM shit to even compile(new compiler needed other libs too that broke shit so we had to build a new dedicated VM with the upgraded stuff to isolate it).
[update] Meanwhile my org is also working on our first major PHP upgrade in --- four years. PHP has been very stable as well. Security updates come from Ubuntu even though "upstream" has long abandoned the version of PHP we have I believe.
At least with the most common Perl libraries(and others come to mind too) they are included in many of the larger Linux distributions by default, no need to go to 3rd parties to get many things. My Ubuntu sytsems here seem to have 2,700 perl libraries in the repos. They are pretty stable too, perl 5 is stable and mature at least.
Trying to include NPM stuff in distros is almost a wasted effort because the package is obsolete after 5 minutes.
I first encountered this broken development model about 10 years ago with my first introduction to supporting a ruby on rails app, and it really seems things have just gone downhill since that time.
It gets worse as the newer developers are raised on this culture and don't know any different.
Meanwhile the non technical marketing people have a field day inserting dozens of 3rd party javascript resources into the websites making them slow down quite a bit and even have errors. I had one guy a few years ago link a popup on the production homepage to some code running on an internal-only QA server, then he took off for a vacation within 30 minutes ("it worked in the office - because the office has a VPN to the QA environments" -- what you didn't think seeing "QA" in the hostname meant that the production front page should be pointed at it?)
I'm past the anger, past the tears, I just laugh now. And I give responsibility for this stuff to other people, less stress in my life.
(been working with/supporting developers for the past 16 years now)