Scripts that are run with npx-safe still have network access, even when allow-net is false. See this repository for the details

The net access is given explicitly in the code

npx has a feature to download package if it's not yet installed. I guess this is the main motivation behind giving npx internet access? It would be nicer to allow npx-safe to run without internet access by default, or with some switch, or we should at least mention this in README, since, I think, the behavior is quite surprising and potentially dangerous

With npx-safe eslint, ESLint will have internet access. With "scripts": { "lint": "eslint" } in package.json and npm-safe run lint, it won't

P.S. Thank you a lot for the project. This package has a potential to safe JS ecosystem :)