> A download from NPM is just someone (most often something) doing _npm i_.

> Given how most CIs are (badly) configured in the wild, they'll _npm i_ at least once per run. If not per stage.

Indeed. By the same calculus, it should take less than a year for everyone on the planet (including children and the elderly and a whole lot of people who might not have computers, let alone any idea what Python is) to get a personal copy of many of the most popular Python packages (https://pypistats.org/top).