How can we stop having post-install scripts with such access?

Can I turn off those post install scripts globally?

Are there alternatives to npm that do a better job here?

You can use pnpm, which forces you to approve the install scripts you want to run.

	▲	ireadmevs 5 days ago \| parent [-]
		Do you approve on every update of the package? Do they offer a way to quickly review what’s going to run and what has changed since the last approval? Otherwise it’s just like another checkbox of “I confirm I read the terms and conditions”