> That's an INSANE default.
I agree that not running arbitrary installation scripts is the right default, but it's just an incremental improvement.
The practical difference between code that runs at installation and code that runs when the package is executed is, very typically, a small amount of time.
IMO, the hyperbole here hurts because it distracts from more effective efforts.
> IMO, the hyperbole here hurts because it distracts from more effective efforts.
For example?
Can I just run npm update diff and see all changes across all updates compared to the last reviewed code in node_modules? Why not?