[IshKebab]

Python does too I believe.

Really the reason not to allow that is for robustness, not security. You ideally don't want package installs doing random stuff to your system because package authors are generally bad at doing that sort of thing cleanly.

The security impact is relatively minimal because as other people have said, you just installed a package. What's the very next thing you're going to do? Compile/run it obviously.

[oblio]

A lot of packages are pulled in to call minimal bits of the actual library. I obviously don't have any statistics on this but my instinct would say that for the average application only 5% of an average package is actually used.

So not running package installation scripts is a huge, massive problem.

[dns_snek]

It doesn't matter how much of the package you use. Here, you can use literally 0% of Koa and get pwned by one of its transitive dependencies (koa > cookies > keygrip > tsscmp) by simply importing the parent package:

    mkdir demo && cd demo
    npm install --save koa@3.2.0
    echo 'console.log("--- pwned by a transitive dependency ---")' >> node_modules/tsscmp/lib/index.js
    node -e "import 'koa'"

--- pwned by a transitive dependency ---

[oblio]

My point was for proper package management tools that don't allow running scripts.

[IshKebab]

His example did not involve running any post-install scripts.

[IshKebab]

So what? Packages can just put their backdoors in some initialisation code that is always used.

It is possible that not running package installation scripts could improve security, but for that you need really good sandboxing/compartmentalisation of library code, e.g. with CHERI, WASI component model, or if all of your code must run in a secure context it probably helps.

But those situations are unfortunately rare in my experience.