Are all package managers equally risky?

I *feel* like using `npm` is an unnecessary security risk. (Maybe because it's written in JS, and I tend to distrust JS, so I prefer to only use JS when there's no other option.)

But even using `apt-update` or `PHP Composer` makes me wonder... am I increasing my risks, by doubling the amount of parties I have to trust?

i.e.:

\- Direct install = only trust 1 party (the developer)
\- Package install = trust 2 parties (dev + package …

apt composer cybersecurity managers npm package package managers php risk risks security security risk update