Comment by efortis

Yes, it can break deps, some will not install. Puppeteer is a good example because it installs binaries. But it also shows an error with the cmd needed to complete the installation.

Why it is allowed by default?

> it’s npm’s belief that the utility of having installation scripts is greater than the risk of worms.

NPM co-founder Laurie Voss

https://blog.npmjs.org/post/141702881055/package-install-scr...