Some speculation on my end:
npm: adds bot protection to package pages so that they can avoid costly SSR.
crates.io: 🖕 we'll return an empty shell. go call the API. we don't need to deal with the cost and security implications of running node on our servers.
I like what crates.io did.