New audit: detect usage of `npm install|ci ...` without `--ignore-scripts`

[woodruffw]

This one is just an idea; I'm not sure about it yet.

The basic idea here is to flag invocations of npm install and npm ci in run: blocks if they don't include an --ignore-scripts option, as that option prevents unnecessarily risky build-time code execution.

Arguments for: it's high impact, would help people seal off code injection sides.

Arguments against: it's probably going to be noisy (there's also possibly an npm config file we won't analyze, etc.), and it's arguably "inside" the trust model for npm (similar to how sdists are inside the model for Python).

Feedback wanted, particularly from people who are more familiar with npm/JS than me 🙂