In most package managers a dependency’s install-time code runs by default the moment you install it: an npm postinstall, a Setuptools setup.py, a CPAN Makefile.PL, an RPM scriptlet, a Conda post-link, a Debian postinst. A handful require explicit per-package opt-in before any of that code runs, usually called an allowlist or a trusted-dependencies list depending on the tool.

Per-package…