I agree. If you're distributing via npm, then it should be a dev-facing product... and most developers will want to be in the driver's seat regarding when to update and if so, to what version (jumping to the next major version vs just applying patches).
Auto-updating also has a higher chance of being terminated by the user, since the user is usually not expecting the update and may not have time for it or may be concerned about compatibility problems with the new version, etc. I'm not sure how robust npm is with respect to updates that are abruptly terminated mid-stream.
I have had cli tools tell me when they were out of date and remind me what npm command to run to update them -- i think that's ideal, especially if it's keeping busy doing what it normally does while it waits on the network to find out whether it's the latest version. i've never had a cli tool installed via npm auto-update on me, i think that would be surprising & annoying.
Developers can sometimes depend on cli tools in surprising ways, for instance if they are using the tool as part of a chain and parsing the output by another tool or piping specific input from a different tool. Even though you consider a new version to be backwards compatible, they may be depending on something you didn't expect (like the exact formatting of the output) or may even have a work-around in place for a bug, such that they are actually depending on the buggy behavior.
If it's not a dev-facing tool then I would recommend avoiding npm. Node is a standalone executable and it isn't monstrous, it can be shipped with your product. That way you can send a new version of node as part of your update process, if your code depends on it.
-- peter