The only reason we use NPM is because we are lazy. It's up on us to pick and support an NPM alternative.
The best alternative would still be cloning from GitHub or GitLab or any other source.
Instead, we are going to build services around the NPM registry
Or even hiding NPM itself behind new names.
Or mimic its behavior
But because we are lazy, we rely on NPM and blame them when lawyers and stakeholders together break the web.