NodeJS isn't very sandboxed. Many "dev libraries" are native and will either download and link to binary blobs, or build e.g. C code, which AFAICT is what all the various install scripts are for.
It seems like a bad design choice, that, besides allowing for running untrusted code directly at download time, also makes it difficult to properly mirror artifacts, and I'd assume, make platform portability inconsistent, at best.
