It's always cute to find new vectors for command injection. Really anytime you mix data and commands this type of crap is bound to happen (ex: sql injection).
Still not as worrisome to me as the full scripts that get executed by package managers when you install dependencies. Effectively every time you run something like "npm install" you're putting your faith in the entire tree of ancestor dependencies as any of them could have a pwnage script as a post install.
More often than not, building and deploying is secondary for developers to writing the library itself, if that. Build scripts and installation don't get the same treatment and care the library does.
The is one of the primary reasons why I prefer distribution-packaged libraries to pulling a library and its dependencies directly from developers. Staleness is a small price to pay relative to having at least two sets of eyes glance over the source and not execute arbitrary build scripts on my system.
Still not as worrisome to me as the full scripts that get executed by package managers when you install dependencies. Effectively every time you run something like "npm install" you're putting your faith in the entire tree of ancestor dependencies as any of them could have a pwnage script as a post install.