[ohazi]

It's not you, it's the norms that you were challenging. Developers don't want other people to realize that the only thing stopping them from running "extra" stuff like this on someone else's build machine is convention.

After the leftpad fiasco and the recent purescript installer "malware," people have gotten really sensitive about this sort of thing. Everybody knows that npm is a house of cards, but it's easier to hide the problem than to fix it.

[feross]

If the only thing this whole saga accomplishes is that npm post-install scripts are replaced with proper pre-built binary support, then I'll say this was all worth it. :)

[freeone3000]

The post-install scripts are installed from the same source as the actual library - the library itself could contain whatever malicious code an attacker wants. Pre-built binaries don't help here.