This is clone of npm/npm#19673 and seems relevant here.

Running npx [command] will auto-install and auto-run a module if not installed. This is a handy feature. However there are few scenarios where --no-install is helpful.

1. If the project depends on a certain devDependency version, and would not work on the latest - this could break the build.
2. Some projects follow the process of keeping all devDependencies locally.

To avoid using --no-install in every npx command, could no-install be set in a config file like npxrc or in package.json as below:

{
  "npx": { "noInstall": true },
}

Ref #105.

I would think --no-install should be the default behavior (principle of least surprise; see: npm/npm#19673 (comment)). And in that case, if the command is not found, npx's console output should give a hint about the possibility of using an --install flag, i.e. instead of only reporting not found: <cmd>.

should be the default behavior

I agree with this sentiment.

However I think there should also be a config available for npx. Should we raise a separate issue for that? #105 requests that, but people keep focusing on the --no-install option specifically.

Note that npm-run is an alternative to npx, which doesn't have this problem. This is a security issue that's been open for over a year - seems unlikely it will be fixed soon - so moving to a package that behaves in a safe and sane way would seem prudent.