Thepackage.jsonscripts are useful, but they are also a potential security issue. For example:

A Malicious Module on npm

Earlier this week a package calledrimrafall was published to npm. This package had a preinstall hook that executed the commandrm -rf /*. It was created on 01/26/2015 at 15:28 and immediately posted to Hacker News and then it was unpublished from the registry by npm at 17:06 – giving it a lifespan of less than two hours.

I don't know if NPM has done anything about this since, but I don't think this shouldever have been possible. Installing a module shouldnever execute arbitrary commands, at least not without first prompting if the command should be run. I think the is one of the mistakes an NPM replacement should not make.