> but NPM makes it dangerous to merely open a project up in an IDE.

It does not. Opening a project in an IDE has always been dangerous because there are about a thousand language server and analysis tools that run in the background. This is why IDEs ask you whether you trust the contents of a repository.

An even if some automated background execution initiated by the IDE doesn't get you, running `npm run test` 15 seconds later will.