-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RRFC] all commands (without context) should respect --ignore-scripts
#709
Comments
--ignore-scripts
--ignore-scripts
I think the challenge is that it affects both the current project's scripts and also dependencies' scripts. I always would probably want to ignore by default the scripts of dependencies - but i would never want to ignore my own scripts. |
Trying to accommodate for that kind of nuance is how we got into the current state (ie. there are too many variants for a single flag to navigate). That said, it should still be possible to fully disable scripts in a single flag & this is what people are expecting but is not what happens. Previous work/efforts to advance scripts more holistically stalled & I'm guessing are unlikely to pick up any time soon (ref. #437) which is why I thought this would be a smaller/more realistic scope of work. |
I'm still unclear why anyone would ever want to ignore first-party scripts? |
The distinction isn't clear to anyone without in-depth knowledge/experience (ie. has read the code). There is no documentation delineating "first-party" scripts today. Would a workspace's scripts be "first-party", even though it can be defined as a dependency? What about linked deps? The flag's name is To be clear, I won't die on this hill as I'm no longer actively involved in |
First-party would mean only the scripts you could access yourself with |
Either way, there's no mention of/delineation of "first-party" or "third-party" anywhere in the docs. And the argument here has nothing to do with that; it's literally whether or not The current docs note:
But there's even more nuance then that, |
I totally agree that it's a confusing option right now and doesn't match people's intuitions. (and The biggest desire I'm aware of is to avoid running untrusted scripts during install - ie, those of installed dependencies. What other use cases are there? |
This isn't about trust, but more about efficiency - the fact that Use case: you're trying publish a pre-release1 with git based TS dependencies. It's reasonable for them to execute Footnotes
|
@dominykas i'd need more info to understand, but it sounds like you're describing a new lifecycle script rather than the need to manually remember that you need to disable extra scripts while running pack/publish? |
Yes, quite possibly a new life cycle script can also solve this - something that runs when you |
In I wanted to use Lerna to boostrap (link) packages (submodules in the repo) together, without running any scripts at all. That way, during the bootstrap process, packages would not try to build themselves without all packages first being in place, otherwise a build could fail midway through bootstrap. Then, after bootstrap, I intended to run I solved my problem more recently by removing |
This just bit me again today. It is very annoying! I ran the following in the Docsify repo in Windows, trying to avoid issues during install by using
I'm guessing it is trying to run the I just want npm to put dependencies in place, nothing more (it should show a message if it is not able to do that, f.e. a git dependency that requires prepare). |
Motivation ("The Why")
Today, the ecosystem has been incorrectly trained to believe that
--ignore-scripts
ensures no "scripts" are executed & the nuance of the various situations where that is true has historically been hard to document & educate (ex. bug bounty submissions based on the GitHub program/scope encompassing"Arbitrary script execution upon package install with the --ignore-scripts flag"
https://bounty.github.com/targets/npm-cli.html). For v10 (ref. npm/statusboard#487 / npm/cli#6641), I'm recommending the team makes all commands respect this flag properly (no matter how silly the situation).How
Current Behaviour
npm
makes nuanced decisions about which scripts to run even when--ignore-scripts
is defined (ex. git deps runprepare
,prepack
,npm test
will runscripts.test
etc.)Desired Behaviour
install
,publish
,pack
& more will ignore all defined scripts when--ignore-scripts
is set (ex. git repos would no longer be treated uniquely duringinstall
&prepare
/prepack
etc. wouldn't be executed)npm test --ignore-scripts
ornpm run foo --ignore-scripts
executes nothing (seems weird, but the result would be consistent)References
Bikeshedding
--ignore-pre-scripts
/--ignore-post-scripts
/--ignore-lifecycle-scripts
or something similar) but--ignore-scripts
should be the most broad in its enforcement & is the most requestedThe text was updated successfully, but these errors were encountered: