--no-install should be default behavior

[yukulele]

When I install a package locally with npm, I don't want to run it with ./node_modules/.bin/the-package so I use npx: npx the-package ; I often use it: in terminal, in scripts, in makefile.

but if I forget to install the package or if I haven't done npm install, npx seem to try to install it first, only for one use. So I'm not really informed that the package is not installed.

I think this two works are totally unrelated:

1. run locally installed npm package
2. run not installed npm package

I want to do the first, not the second. Some people want to do the second, not the first.

npm tries to done the first, else the 2nd ; who need that?

Security issue : If I make a typo, I'm likely to download and directly launch any unknown package.

Another problem is that the package name is not always the same as the executable; for example if I install pug-cli, I can do npx pug, if it is not installed, it will try to install pug (which only contains the js library), so this is not the expected behavior.

For all these reasons, I suggest that by default, npx only runs local packages, and displays an error message if the package is not installed locally.

Personally, I'm not sure I understand the usefulness of the "install&run" behavior (I never use it), it could possibly be called with a parameter but I think it would be better to create a new package for it.

[GitTom]

This issue is being discussed in #198.