> Running npm install is not negligence.

I beg to differ and look forward to running my own fiefdom where interpreter/JIT languages are banned in all forms.

sethaurus 3 hours ago | parent | next [-]

Do you really mean this literally? Even the Linux kernel contains tens of thousands of lines of Python, and more lines of shell. Is that undesirable?

▲

staticassertion 4 hours ago | parent | prev [-]

It has nothing to do with interpreters or JIT, it has nothing to do with npm at all. All package managers have the insane security model of "arbitrary code execution with no constraints".

	▲	seniorsassycat 3 hours ago \| parent [-]
		I tend to agree but think npms post install hook is a degree worse. Triggering during install, silently because npm didn't like someone using the feature to ask for donations, is worse than requiring you to load and run the package code.