Yes, and it makes no sense. It's not a "swathe of front-end developers" problem.

Developers in general want to push packages. They don't want to experience friction while doing it. They especially don't want to have to do things like engage with Linux distribution maintainers in order to get their packages into official software repositories. They want to just run $pkgr publish on their repo and that's it. So they invariably end up creating their own distribution mechanisms with zero maintainers involved. Just untrusted randoms making accounts and pushing random stuff. It's easy, so naturally what happens is the repositories get filled with software.

It's only natural to use the stuff that is out there, so the packages get added to projects as dependencies despite the fact none of it is even slightly trusted. Developers hate friction when using libraries too. They very much want to just run $pkgr install x on their repositories and be done with it. They don't want to do things like read the source code or verify that it actually corresponds to what they've downloaded. That's somebody else's problem. On Linux distrubutions, that somebody else is the package maintainer, the exact person the programming language package managers aim to eliminate.