Debian pioneered so many things -- things that many people still haven't learned from. One of those is proper repository management. Comparing Debian's repository to NPM's repository is like night and day. NPM has tons of malware and typosquatters, whereas the worst you can say about Debian's repo is that it's packages are usually out-of-date. The policies that make this difference are not complicated, just obscure.