This is what systems like deb and rpm do - they curate a list of packages that can be installed to the system. But most people (in my experience, including myself) don’t use them because they get out of date really quickly and don’t lend themselves to things like virtual environments very well.
It is possible to set your registry in NPM via the "npmrc" file. That will let you hit the specified HTTP server whenever you run commands like "npm install".
I know this is also possible for Python because we did it at Uber. I don't remember the specific details anymore though.
In either case though, a lot of people have written proxies for this use case (I helped write one for NPM at Uber). Companies like Bytesafe and Artifactory also exist in this space.
Somehow validating packages before inclusion?
IIRC mirrors for NPM, Packagist and others is not impossible, can be done for PyPY and others too?
Maybe it's a stop-gap before all the fancy permissions feature build out (which seems hard)