Skip to content

fix(security): replace npx with npm exec to prevent unintended remote package execution#106

Merged
frankieyan merged 2 commits intomainfrom
frankie/remove-npx
Apr 4, 2026
Merged

fix(security): replace npx with npm exec to prevent unintended remote package execution#106
frankieyan merged 2 commits intomainfrom
frankie/remove-npx

Conversation

@frankieyan
Copy link
Copy Markdown
Member

@frankieyan frankieyan commented Apr 4, 2026

Overview

npx silently downloads and executes packages from the npm registry when they aren't installed locally, which is a supply chain security risk. This replaces all npx usage with npm exec, which only runs packages already present in node_modules.

Changes

  • .husky/pre-commit: npx lint-stagednpm exec lint-staged
  • src/index.integration.test.ts: npx tsxnpm exec tsx --
  • README.md: all user-facing examples updated from npx to npm exec with -- separators where arguments are passed

Test plan

  • Run npm test to verify integration tests still pass
  • Trigger pre-commit hook to verify lint-staged runs correctly

🤖 Generated with Claude Code

@frankieyan @claude
fix(security): replace npx with npm exec to prevent unintended remote…
7225657 
… package execution

npx silently downloads and runs packages from the registry if they aren't
installed locally, which is a supply chain security risk. npm exec only
runs already-installed packages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@frankieyan frankieyan requested a review from a team as a code owner April 4, 2026 09:22
@frankieyan frankieyan requested review from rmartins90 and removed request for a team April 4, 2026 09:22
doistbot
doistbot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@doistbot doistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR updates the codebase and documentation to replace npx with npm exec in an effort to mitigate the security risk of unintended remote package downloads. This is a valuable step toward tightening supply chain security across our development workflows. However, because modern npm allows remote lookups by default for both commands, successfully enforcing local-only execution requires appending the --no flag and -- separator to all updated instances.

Share FeedbackReview Logs

Comment thread .husky/pre-commit Outdated
Comment thread README.md Outdated
@frankieyan frankieyan added the 👀 Show PR PR must be reviewed before or after merging label Apr 4, 2026
@frankieyan @claude
fix(security): add --no flag to prevent remote package downloads
bfb6ac3 
npm exec without --no still allows fetching uninstalled packages from
the registry, just like npx. The --no flag ensures only locally
installed packages can be executed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@frankieyan frankieyan requested a review from doistbot April 4, 2026 09:40
doistbot
doistbot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@doistbot doistbot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR replaces instances of npx with npm exec across the repository to improve supply chain security by preventing unintended remote package execution. This is a great proactive step that strengthens the security posture of the project's tooling and documentation. However, the update to the integration tests will likely cause failures because tsx is not installed in the fixture's local package.json, which will cause npm exec to exit with a missing-package error rather than running the CLI.

Share FeedbackReview Logs

Comment thread src/index.integration.test.ts
@frankieyan frankieyan merged commit f3d0900 into main Apr 4, 2026
2 checks passed
@frankieyan frankieyan deleted the frankie/remove-npx branch April 4, 2026 09:51
@github-actions github-actions Bot mentioned this pull request Apr 4, 2026
Merged
rmartins90
rmartins90 reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@rmartins90 rmartins90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rmartins90 rmartins90 rmartins90 left review comments

@doistbot doistbot doistbot left review comments

Assignees

No one assigned

Labels

👀 Show PR PR must be reviewed before or after merging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@frankieyan @rmartins90 @doistbot