James Milner: So maybe this has been obvious to a lot of people for a long time, but seems like the npm model is just insecure by default? Someone (or CI) could run 'npm install some-evil-package' and then an unconstrained arbitrary script just runs on their machine unless they explicitly passed --ignore-scripts?

So maybe this has been obvious to a lot of people for a long time, but seems like the npm model is just insecure by default? Someone (or CI) could run 'npm install some-evil-package' and then an unconstrained arbitrary script just runs on their machine unless they explicitly passed --ignore-scripts?