Because then it's extra hassle and expense for new developers to publish a package, and we're trying to keep things decentralized.

It's already centralized by virtue of using and relying on NPM as the registry.

If we want decentralized package management for node/javascript, you need to dump NPM - why not something like Go's system which is actually decentralized? There is no package repository/registry, it's all location based imports.

Decentralized? This is a centralized package registry. There is nothing decentralized about it.

oh right, good point, I wonder when somebody will just sue NPM for any damage caused. That's really the only way we'll see change I think.

Download counters are completely useless. I could download your package 2 million times in under a minute and cause you to need the 2FA.

And true 2FA means you can't automate publishing from github's CI. Python is going the other direction. There is a fake 2FA that is just used to generate tokens and there is a preferential channel to upload to pypi via github's CI.

But in my opinion none of this helps with security. But it does help to de-anonymise the developers, which is probably what they really want to do, without caring if those developers get hacked and someone else uses their identity to do uploads.

I don’t understand what benefits this kind of “decentralization” offers

Larger pool of people you can hack/blackmail/coerce into giving you access to millions of systems :)