Npm has weak security boundaries.

Basically any dependency can (used to?) run any script with the develop permissions on install. JVM and python package managers don't do this.

Of course in all ecosystems once you actually run the code it can do whatever with the permissions of the executes program, but this is another hurdle.

▲

lights0123 3 hours ago | parent [-]

Python absolutely can run scripts in installation. Before pyproject.toml, arbitrary scripts were the only way to install a package. It's the reason PyPi.org doesn't show a dependency graph, as dependencies are declared in the Turing-complete setup.py.

	▲	oefrha 3 hours ago \| parent [-]
		Wrong. Wheels were available long before pyproject.toml, and you could instruct pip to only install from wheels. setup.py was needed to build the wheels, but the build step wasn’t a necessary part of installation and could be disabled. In that sense its role is similar to that of pre-publish build step of npm packages, unless wheels aren’t available.