While that may be true for an unrestricted language, it doesn't need to be true of the programs we design. There's no reason that an installer needs to be written in a completely unrestricted way. NPM could use a DSL which would make it possible to review what an installer is going to do.

This is an idea I (with some collaborators) have explored in a more general way for secure shell scripting: shill-lang.org.

For systems like rubygems and npm, a build tool that installs the gems with sudo on a clean system and flags obvious issues would be a good thing.

(If the halting problem is a problem, try executing it in a sandbox.)

The Halting Problem says it’s impossible to tell whether a program will naturally finish what it’s going to do without doing it.

You can obviously tell what a trivial program will do by looking at it.