It has nothing to do with interpreters or JIT, it has nothing to do with npm at all. All package managers have the insane security model of "arbitrary code execution with no constraints".

It just so happens that all of those languages share the worst design points, such as the need for a package manager at all and the classic "eval and equivalents run arbitrary code".

>All package managers have the insane security model of "arbitrary code execution with no constraints".

Not all of them, just the most popular ones for these highly sophisticated, well thought-out bunch of absolute languages.

What language does not have a popular package manager that provides code execution?

All of those that ship code instead of packages, e.g. C and Go.

I tend to agree but think npms post install hook is a degree worse. Triggering during install, silently because npm didn't like someone using the feature to ask for donations, is worse than requiring you to load and run the package code.

Which package managers don't contain an equivalent feature for running code as part of the install process?

Do you really mean this literally? Even the Linux kernel contains tens of thousands of lines of Python, and more lines of shell. Is that undesirable?