security: clerk runs third party posinstall scripts

[shamilovtim]

Preliminary Checks

• I have reviewed the documentation: https://clerk.com/docs

• I have searched for existing issues: https://github.com/clerk/javascript/issues

• I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)

• This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.

Reproduction

n/a

Publishable key

pk_test_123456789

Description

npm postinstall scripts are a significant security risk in the JavaScript ecosystem and are frequently used as an attack vector in supply-chain incidents. Given the current threat landscape, many teams are moving toward blocking or heavily restricting these scripts by default.

Clerk currently uses a postinstall script for telemetry. We do not believe telemetry justifies the security tradeoff of running install-time scripts, especially when users and organizations are actively trying to reduce exposure to this class of risk.

We plan to block these scripts in our environment. For the security of your users, and in recognition of the ongoing risks in the JavaScript ecosystem, we ask that Clerk remove the use of postinstall scripts for telemetry.

Environment

As a security practice I no longer run npx, pnpm dlx or equivalent one off package execution commands on my machine. 

latest macOS, latest clerk SDKs

[dstaley]

Hi @shamilovtim! Our postinstall script does not execute third-party code, and only prints a warning to the terminal on the first time the package is installed. The script itself does not collect telemetry. Furthermore, we highly recommend users make use of their package manager's capability to explicitly allowlist postinstall scripts (such as pnpm's approve-builds). If you choose not to allow Clerk's postinstall script that's totally fine.

[shamilovtim]

Hi @dstaley I am aware that Clerk can be blacklisted in the package manager's settings. However I'm confused about how Clerk as an organization is weighing security tradeoffs as a matter of organizational policy. If the postinstall step is only used for printing a simple warning, and not for telemetry, could you please elaborate on how Clerk makes security tradeoffs like this and why using a known insecure API to print a simple warning to console is: 1) necessary 2) worth tracking you in our blacklist for 3) worth the risk to other customer's machines who don't have third party postinstall disabled?

[dstaley]

At the end of the day, the responsibility to vet postinstall scripts is up to the consumer. If you do not agree with our position that our postinstall script is safe to execute that's completely fine; you're free to disable it. We're going to evaluate whether there's a better mechanism to communicate the telemetry collection that doesn't rely on postinstall, but as it stands now we are not of the position that our postinstall script is a risk to our customers.