This mostly defends against name squatting and other malicious dependencies that never get imported.
Haven't reviewed code but article says its entry point is install script. install scripts don't run on import. I guess you saying it triggers from import too.
Haven't reviewed code but article says its entry point is install script. install scripts don't run on import. I guess you saying it triggers from import too.