The nice thing about shell scripts is that it's ubiquitous and have very little external dependency. Having a shell script depend on node.js seems a bit counter-intuitive?
Xeon just add ability to use npm as your package manager, why use tools like bpkg or something else if you can use great environment that trusted by thousands people.
Xeon bundle should be made on dev step, you should not bundle it on real server .etc where u use this script.
Reliance on transport security instead of providing cryptographic verification of code is my biggest beef, very closely followed by what is essentially a nonexistent reputation system (or, in lieu of a code reputation system, a curated selection of packages).
Xeon just add ability to use npm as your package manager, why use tools like bpkg or something else if you can use great environment that trusted by thousands people.
Xeon bundle should be made on dev step, you should not bundle it on real server .etc where u use this script.