Use the full path of sl and not rely on $PATH in the same way cron and macOS GUI apps do for I assume this exact reason.
Is the full path guaranteed? For example homebrew, snap, and apt might put it all in different places. $PATH is a useful tool.
But not in this case where you have two executables with the same name.
You have to know where the tool was installed or else be certain no other sl is on your path.
How would knowing the full path help you anyway? It's either in "/usr/bin/sl", or "/usr/local/bin", or "~/.local/bin", now what?
By the way, believe it or not, POSIX compliance requires existence of only two directories (/dev and /tmp) and three files (/dev/console, /dev/null, and /dev/tty) on the system; everything else is completely optional, including existence of /bin, /etc, and /usr.
Because you know what you installed and so which sl to use.
But the sl is not invoked by you. It is invoked by some npm module (a 5-times-removed dependency from any side) which hopes that either there is "sl" in the $PATH and it is the Sapling CLI, or there is no "sl" in the $PATH. This module can't use absolute paths because it does not know how the end user's system looks.
In that case it is a large security risk as well as it does not work as per the article
A program invoking some other the program that the user themself consciously have installed on their system (and put into the PATH) is not a security risk per se, it's literally UNIX Way™ working as intended.
Finding the full path of sl requires looking at $PATH
In this case not as then you find the wrong sl - you need to know where the correct sl was installed.