This isn’t a security flaw at all. It’s that simple: As long as your user isn’t logged in, the keychain is locked. Once you’re logged in, the keychain automatically unlocks, so that native applications (like Safari) are able to retrieve a certain password that they need.
First of all: Thank you!
I’ve gathered most of my information through social networks like Twitter, Medium or various blogs and magazines. Instead of just showing you a list of examples, I’d also like to suggest typing something like “npm as build tool” into Google.