This is fine, right? It's a small price to pay to do, well, whatever it is ya'll like to do with post-install hooks. Now me, I don't really get it. Call me dumb, or a scaredy-cat, but the very idea of giving the hundreds of packages that I regularly install, as necessitated by javascript's lack of a standard library, the ability to run arbitrary commands on my machine, gives me the heebie-jeebies. But, I'm sure you geniuses have SOME really awesome use for it, that I'm simply too dense in the head to understand. I wish I were smart enough to figure it out, but I'm not, so I'll keep suffering these security vulnerabilities, sleeping well at night knowing that it's all worth it because you're all doing amazing, tremendous things with your post-install hooks!
Without it, all a package can do is drop files on a filesystem. Its used to do any sort of setup, initialization or registration logic. Its actually impossible to install many packages without something like it. Otherwise, you end up having to follow a bunch of install instructions (which you will mess up sometimes) after each package gets installed.
I think that helps me understand. What are some examples of things where I'd want initialization or registration? What packages are impossible to install with this, besides cases where npm is used as an alternative to apt/yum to install dev executables?
Create registry entries in a config file for all local printers found in the existing OS configuration. Remember that the installer runs with privileges that the application won't normally have. So anytime you have to use those privileges you don't do it at runtime, you do it at install time. And this requires the hook.