fix(dlx): prevent post-install scripts from running

Add ignoreScripts: true to Arborist options to prevent install and
post-install scripts from running during dlx package installation.
This is a security measure to prevent potentially malicious scripts
from executing during dependency installation.

Author: jdalton

src/dlx-package.ts

@@ -293,6 +293,9 @@ async function ensurePackageInstalled(
           cache: pacoteCachePath || path.join(packageDir, '.cache'),
           // Skip devDependencies (production-only like npx).
           omit: ['dev'],
+          // Security: Skip install/preinstall/postinstall scripts to prevent arbitrary code execution.
+          // Note: binLinks defaults to true, which is needed for dlx to execute the package binary.
+          ignoreScripts: true,
         })
 
         await arb.buildIdealTree()