GitHub pulls pin on npm's auto-run scripts

GitHub will change npm's defaults so the install command no longer runs scripts automatically, disabling a feature exploited by malicious packages like the Shai-Hulud worm. In npm 12, due July, preinstall, install, and postinstall scripts will not run unless explicitly permitted via allow-scripts. The --allow-git flag and allow-remote will also default to off.