From the report on Github it seems like Zed will also download LSP for other languages without prompting, so it is initially an issue with Zed, but enhanced by the fact that NPM is misused. It should be noted that other package managers can also run post install scripts.
That being said, I also don't use NPM and actively discard any software that requires me to run an NPM command. It's somewhat funny to me that people are complaining that Python have a package management problem, while we at the same time have NPM which basically took the ideas from Python and said "What if we made this worse?".
The worst NPM misuse, from my perspective, is people viewing NPM as a platform agnostic package manager. I can understand not wanting to build .deb, .rpm and Brew packages, but that doesn't mean that just plunking a pre-build binary into NPM is a good choice.
That being said, I also don't use NPM and actively discard any software that requires me to run an NPM command. It's somewhat funny to me that people are complaining that Python have a package management problem, while we at the same time have NPM which basically took the ideas from Python and said "What if we made this worse?".
The worst NPM misuse, from my perspective, is people viewing NPM as a platform agnostic package manager. I can understand not wanting to build .deb, .rpm and Brew packages, but that doesn't mean that just plunking a pre-build binary into NPM is a good choice.