> You're collapsing two different threat models. The risk isn't that code runs, it's WHEN it runs.

> You don't have to build it, run it, or even import it

If you just installed something with npm, chances are you'll be running it shortly, either as a tool or a library, probably minutes or seconds later. I imagine the use case of installing an npm package you don't plan on using or transitively importing, constitute a small portion of npm installs.