Comment by apf6
4 hours ago
The time difference does matter though. There were some recent worm attacks in NPM that spread very quickly because they used post-install. I don’t remember how long it took NPM to block the packages but it was probably around 30 minutes or so? If it wasn’t for post-install then that same attack would have a much slower spread and thus a smaller blast radius.
I don't accept the idea that it would significantly slow down the spread.
How often do you run "npm install" just for the fun of it, without actively working on the codebase?
IME 99% of the time the time between "npm install" and some form of execution that pulls in dependencies is less than 30 seconds.