Comment by oefrha

> The install script checks the OS and Arch, and pulls the right Rust binary.

That's the arbitrary code execution at install time aspect of npm that developers should be extra wary of in this day and age. Saner node package managers like pnpm ignore the build script and you have to explicitly approve it on a case-by-case basis.

That said, you can execute code with build.rs with cargo too. Cargo is just not a build artifact distribution mechanism.