Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] opt-in install and postinstall scripts #619

Closed
koba04 opened this issue Dec 19, 2019 · 2 comments
Closed

[FEATURE] opt-in install and postinstall scripts #619

koba04 opened this issue Dec 19, 2019 · 2 comments

Comments

@koba04
Copy link

koba04 commented Dec 19, 2019

What / Why

install and postinstall are npm scripts that run while npm install ${package} or npm ci.
It means that we allow the package author to run any scripts on our machine, which is definitely dangerous if we don't recognize what packages are installed as dependencies.
Unfortunately, it might be impossible to recognize all the dependencies on your project so we run scripts we don't know while npm install.

To avoid this, we can use the --ignore-scripts option, which disables all npm scripts while installing dependencies.
But sometimes the scripts are required to work the packages.

I've created an npm package to print all these scripts in your project.
https://github.com/koba04/install-scripts

But I think it would be nice if npm has the mechanism to opt-in install and postinstall scripts.
I guess there are some ways to do this. The followings are ideas on me. Please let me know If you have any ideas 🙏

whitelistScripts in package.json

This field is to allow packages to run npm scripts.
With this option, we can share the information that we allow packages to run scripts through the package.json.
It might be better this option is enabled only with --whitelist-scripts option.

{
  "whitelistScripts": [
    "fsevents",
    "puppeteer"
  ]
}

--confirm-scripts

This option is to show a prompt whether you run the script or not.
This is useful if you know what the script would do.

Do you run the install script for fsevents?
y/n

other option

This is another feature request for --ignore-scripts.
I hope that npm prints all scripts not to run while installing with --ignore-scripts like https://github.com/koba04/install-scripts.

When

  • npm install or npm ci

Where

  • npm public registry

How

Current Behavior

  • run all install and postinstall scripts or don't run any scripts with --ignore-scripts option.

Expected Behavior

  • We can opt-in scripts to be able to run.

Who

  • n/a

References
@ljharb
Copy link
Contributor

ljharb commented Dec 19, 2019

You may want to open this on the rfcs repo instead

@koba04
Copy link
Author

koba04 commented Dec 19, 2019

@ljharb Thank you! I've created this on the rfcs repo!
npm/rfcs#80

@koba04 koba04 closed this as completed Dec 19, 2019
@Theo13111 Theo13111 mentioned this issue Aug 10, 2023
Open
@snyk-io snyk-io bot mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ljharb @koba04