Or npm being allowed to run arbitrary post install scripts