npm local packages - one big fuckup?

Using local packages with PHP/Composer is very simple: you just add a local folder to repositories in your projects package.json file and thats it. Composer then checks your local repo before it lookups packagist. Any local package behaves like an actual package from the server. Meaning composer is linking it and if you change the version inside package.json it understands there is an update. All dependencies go where they always go - into the vendor folder.

With npm local packages are just hell. You can add a lot of cool stuff to your projects package.json like http links to package archives, or even git repo urls. All of those behave the same. Packages are downloaded into your projects node_modules folder, all dependencies are there, node finds them easily.

Just with local packages its getting weird: When you add a local package to your package.json, you do that by giving a local file system path (instead a version number). Then, when you do npm install, it suddenly installs all dependencies of you local package into a new created node_modules folder inside that package, not inside your project. With a npm package, a http or a git url it would never do that, simply because it does not have write access on that remote source. In a local package it just goes haywire. When you put several local packages in your package.json you end up with a separate node_modules folder in every single one of them. Insane.

Then there is npm link. No idea who came up with that. Its the same misbehavior, just on a global scale. I find tons of questions about this, but no real solution. How can an ecosystem like npm become that big like that?

I think node and JavaScript are very important for the internets future since server and browser side development grow closer every second. There are just so many frustrating flaws.