The @scarf/scarf package uses the postinstall package.json option to run a script that makes a request to [somewhere] with potentially sensitive data, and can be configured to do that with no (reasonably visible) user notice. As per almost any technology, the tech involved isn't inherently bad.
This is a fairly weak argument on it's own, but it's the "gut feeling" one that leads to others.
Libraries are expected to be installed with npm i
, and to take no action besides what they require to be installed.