Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] opt-in install and postinstall scripts #80

Open
koba04 opened this issue Dec 19, 2019 · 0 comments
Open

[FEATURE] opt-in install and postinstall scripts #80

koba04 opened this issue Dec 19, 2019 · 0 comments

Comments

@koba04
Copy link

@koba04 koba04 commented Dec 19, 2019

What / Why

install and postinstall are npm scripts that run while npm install ${package} or npm ci.
It means that we allow the package author to run any scripts on our machine, which is definitely dangerous if we don't recognize what packages are installed as dependencies.
Unfortunately, it might be impossible to recognize all the dependencies on your project so we run scripts we don't know while npm install.

To avoid this, we can use the --ignore-scripts option, which disables all npm scripts while installing dependencies.
But sometimes the scripts are required to work the packages.

I've created an npm package to print all these scripts in your project.
https://github.com/koba04/install-scripts

But I think it would be nice if npm has the mechanism to opt-in install and postinstall scripts.
I guess there are some ways to do this. The followings are ideas on me. Please let me know If you have any ideas 🙏

whitelistScripts in package.json

This field is to allow packages to run npm scripts.
With this option, we can share the information that we allow packages to run scripts through the package.json.
It might be better this option is enabled only with --whitelist-scripts option.

{
  "whitelistScripts": [
    "fsevents",
    "puppeteer"
  ]
}

--confirm-scripts

This option is to show a prompt whether you run the script or not.
This is useful if you know what the script would do.

Do you run the install script for fsevents?
y/n

other option

This is another feature request for --ignore-scripts.
I hope that npm prints all scripts not to run while installing with --ignore-scripts like https://github.com/koba04/install-scripts.

When

  • npm install or npm ci

Where

  • npm public registry

How

Current Behavior

  • run all install and postinstall scripts or don't run any scripts with --ignore-scripts option.

Expected Behavior

  • We can opt-in scripts to be able to run.

Who

  • n/a

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.