A big part of the ease of use of package managers comes from implicit trust in the maintainers of the repositories. Convention over configuration dictates you as a node dev trust the NPM repos. Ditto for ruby gems.
Like most things java related maven is very extensible from an env perspective. People complain about java programs/tools being over engineered but in this case it's a good thing.
One of the great things about maven is that you can trivially point it to a repo you control that is shared across a team or even an entire corporation. This allows whitelisting of packages, confirmed trusted versions, and consistency across different applications (my app and you app both use library X and we know its the same jar).
How many of you actually verify the origin of the modules and libraries you use as dependencies?
I think you got it backwards. Maven doesn't support any form of authentication or verification for packages. So you better trust the network you're on, the core network, and the remote repository.
Maven central and other repositories contain a lot of software, under many different licenses. So unlike, say, apt-get or rpm, you can't always be sure that what you're getting is free/open source software. Be careful with the licenses!
Like most things java related maven is very extensible from an env perspective. People complain about java programs/tools being over engineered but in this case it's a good thing.
One of the great things about maven is that you can trivially point it to a repo you control that is shared across a team or even an entire corporation. This allows whitelisting of packages, confirmed trusted versions, and consistency across different applications (my app and you app both use library X and we know its the same jar).
How many of you actually verify the origin of the modules and libraries you use as dependencies?