Comment by silverwind
2 months ago
npm itself does not know that what you are installing is a CLI tool.
Good CLI tools are bundled before release so they are zero-dependency as far as npm is concerned, which is ideal imho for all CLI tools, but many don't do that.
Looking for "type": "project" is about as close as npm gets to knowing whether something is a command, but lots of libraries do ship with utility commands. npx knows, since it's used for nothing but commands. I've never seen bundling used for anything I've installed through npm; that's more likely for standalone downloads and possibly things like homebrew.
I'll repeat that the bigger problem is that npm has such unfettered access to everything in the user account to begin with. FSM knows it's not strictly an npm problem, it's a Unix problem that's been there since the beginning, just that now, enough of the chickens are coming home to roost that people are starting to notice.