I can't square this circle of someone being paranoid about postinstall script but at the same time thinks the first chance to review dependency code is after doing a `npm i`.

Check the git repo of the library you are installing beforehand if you're so paranoid about postinstall.

And above that, never install any library for which the source is not readily available. This is the most basic first line of defense.

username checks out.

> And above that, never install any library for which the source is not readily available.

Whether source is available or not is mostly irrelevant when you're potentially dealing with malicious code, you need to review artifacts that are being fetched from NPM since those can differ from source code on Github.

Attackers aren't going to announce their malicious code through meaningful git commit messages in a prominently displayed GitHub repository. They will make innocent-looking commits on Github, then publish a new version containing a single additional line of malicious code on NPM.

True. How about people act their threat model? Instead of removing a feature for many users, just do whatever you need to do to be sure you're safe yourself?

In what other major situation is the solution to nuke a feature due to security concerns?

Afaik the main conversation about postinstall is around leeches complaining about political messages in their console and one or two other incidents