>These tools with arbitrary code execution when trying to download some code have got to stop

But you still end up with the code on your machine and risk it being ran.

Bigger issue is giant, inscrutible dependency trees.

In this example, if they tried to run the test suite or application, they'd have been in the same boat.

Afaik all or most languages have some way to run arbitrary code at install time but it seems node is the main one getting targeted. I think the bigger issue here is just people running untrusted things.