[nailer]

> Isn't executing arbitrary code kind of the entire point of NPM though?

No. npm is a package manager. As mentioned in the comment you're replying to, almost all package managers execute arbitrary code. Eg:

- pip

- Cargo

- apt/dpkg

- dnf/yum

- Homebrew

- RubyGems

- Composer (limited)

- Maven

> Any chance you have a link to something that describes their plans?

https://github.blog/changelog/2026-06-09-upcoming-breaking-c...

[mapontosevenths]

I get what you mean, but an NPM package is just a tarball of arbitrary code and some metadata. The whole point of it is to eventually run that arbitrary code, presumably. Otherwise why would you want to download the tarball and extract it? In fact, what purpose does NPM even serve if it's just a way to host tarballs?

I get the install time and run time execution might feel different, but I don't see how that's a security boundary at all.

I suspect that everyone will just get into the habit of typing --allowScripts all or whatever and nothing will actually change, because there's no point in a version of NPM that doesn't properly set things up for most people.

[nailer]

The code in the module isn’t arbitrary: it’s what the user intended an install, provided the package hasn’t been compromised. I do see your own version though.

Most apps don’t need install scripts so disabling them by default is fine.