Wrap Installation in Function to Prevent Executing Malformed Code #9314
Conversation
|
This seems like a good idea on its face, but back when he was writing this script, @isaacs tested it under every version of POSIX-like-ish |
|
Hey, @qw3rtman! I talked to @isaacs and spent some time checking the script against known incompatibilities of function definitions. I think it's better to pass on this particular PR because even this benign-looking change is going to cause a pretty serious set of cross-shell incompatibilities. @isaacs put quite a bit of effort originally into making sure that was all set, and there's already some examples from http://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html_node/Shell-Functions.html#Shell-Functions where this would get violated. Even if we edited the script to work around those specific issues, I'm afraid that it would make it even harder in the future to make sure this is all compatible. That said, I agree with the purpose of this! The usual Let me know if you have any other thoughts. I'm going to close this now. Real, genuine thanks for the contribution, and I'm sorry it didn't seem like something we could actually land. I would've loved to have this extra safety net. :) |
Installing
npmviacurl -L https://www.npmjs.com/install.sh | shcould be potentially dangerous if the script does not fully download.For example (and perhaps this case doesn't exactly match the npm install script), suppose the script contains a line that copies
npmto the user's$PATH:cp npm /usr/local/bin/npm. If the script is not fully downloaded in its current layout, it could execute `cp npm /usr', effectively overwriting the entire operating system.Wrapping the entire installation in a function and then calling the function at the end of the script ensures that the entire installation script is downloaded before executing anything and has no drawbacks nor does it affect the current installation method.