If a build tool has any support for tests, it can execute arbitrary code, since that is what tests are. I am quite sure Maven's pom.xml can install binary jar into local .m2/repository, and later use it as plugin during generate-sources phase - and that is something an IDE will want to do when opening project.
NPM attacks are really product of its popularity (and update churn that community already got used to).
You’re not wrong, but what an IDE does when opening a project directory is an issue with that tool, and not one directly addressable by the maintainers of the dependency management tool.
The more direct comparison would be whatever the equivalence of “npm install” is for a given language, and what it allows to run. Sounds like they’re making good progress to fix that, but it’s certainly more than a popularity issue.
Because uh every OS on earth has the exact same vulnerabilities? How are you supposed to stop a user from downloading something random from the internet and running it?
Sometimes, but nodejs or npm won't work properly without the headless chromium VM, and would need bypassing local file-access security-sandbox restrictions most normal system Web-browsers enforce by default.
If root installs OS supported VM packages, than it would be pointless to complain the system runs as expected. As a sentient turnip, I probably wouldn't know for sure... =3
npm is hard to avoid, as other ecosystems have integrated it as a cross-platform build/installer script bootstrap.
Indeed, all things nodejs are usually a dumpster fire at a hair salon, but the real point here was people always inherit whatever the previous cheapest labor built at that office. Also, usually people don't get to make architectural decisions for a long time. =3