[dns_snek]

It doesn't matter how much of the package you use. Here, you can use literally 0% of Koa and get pwned by one of its transitive dependencies (koa > cookies > keygrip > tsscmp) by simply importing the parent package:

    mkdir demo && cd demo
    npm install --save koa@3.2.0
    echo 'console.log("--- pwned by a transitive dependency ---")' >> node_modules/tsscmp/lib/index.js
    node -e "import 'koa'"

--- pwned by a transitive dependency ---

[oblio]

My point was for proper package management tools that don't allow running scripts.

[IshKebab]

His example did not involve running any post-install scripts.