[mDyJzDPmBdG]

If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project. NPM attacks are really product of its popularity (and update churn that community already got used to).

[andyroid]

You’re not wrong, but what an IDE does when opening a project directory is an issue with that tool, and not one directly addressable by the maintainers of the dependency management tool.

The more direct comparison would be whatever the equivalence of “npm install” is for a given language, and what it allows to run. Sounds like they’re making good progress to fix that, but it’s certainly more than a popularity issue.