If you always run npm inside of docker does that pretty much prevent attacks like this?

Docker is not a sandbox. There is some work that can be done to harden it, but you're better off looking at genuinely sandboxing your dev environment

What is genuine sandboxing? Everyone waives there hands by saying this

Good question with a lot of possible answers. You can take sandboxing as far as you want, really. I typically just use bubblewrap (linux)

	▲	ashishb 2 minutes ago \| parent [-]
		I have a perfect set up in inside docker that works. I would love to know why bubblewrap is a superior alternative. Here's mine https://github.com/ashishb/dotfiles/blob/067de6f90c72f0cf849...