Ok? Not sure what a package manager can do about the fact that eventually you want to run the things you install.

"First run" doesn't exist for JavaScript libs used only in web apps. So for that entire class of packages this change makes them safe.

Better than nothing. That’s the same problem every package manager has.

Yes, but that's actually a huge win. I can't know what a package needs to do at install time - the dev knows that. But I know what my tests and program need to do at runtime because it's my job to understand those things.

The dev has to be responsible for ensuring that their build scripts are safe, I need to be responsible for ensuring that my runtime is safe.

It'd be great to have more tools for untrusting libraries (iframes are awesome for this on the frontend) but this is still a massive win.

I’m sure we’d all welcome your alternative and or superior proposals.

Without that, this just comes across like unconstructive commentary.

This moves the needle a little your proposals or the lack thereof don’t move it at all. So I’ll take this over nothing.