-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make npm install scripts opt-in #488
Open
tolmasky
wants to merge
6
commits into
npm:main
Choose a base branch
from
tolmasky:make-scripts-install-opt-in
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Commits on Nov 5, 2021
-
Install scripts that can run just about anything by default pose some…
… pretty serious security considerations, and these are inreasingly moving out of the theoretical realm and becoming actively exploited. See for example here: https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/. At the same time, we have developed better techniques for many of the most common use cases for install scripts in the many years since npm originally included then. In particular, [N-API](https://nodejs.org/api/n-api.html) offers a compelling alternative to binary packages that are built on the users' computer. However, even before this, many packages are choosing to just pre-build for multiple platforms ahead of time to handle most of the common installation targets and make the install process easier on the user in general. Instead of by default always running the install scripts (`preinstall`, `install`, `postinstall`, `prepublish`, `preprepare`, `prepare`, `postprepare`) if they are present during the install process, provide flags to require users to explicitly allow them to run, either whoelsale as "one big swtich", or on a package by package (and optionally version by version) basis. Also provide matching `npm config` options to do the same globally and permanently instead of on every install. Reviewed by @tolmasky.
Configuration menu - View commit details
-
Copy full SHA for 15ec3f8 - Browse repository at this point
Copy the full SHA 15ec3f8View commit details
Commits on Nov 17, 2021
-
Configuration menu - View commit details
-
Copy full SHA for cedb22f - Browse repository at this point
Copy the full SHA cedb22fView commit details -
Configuration menu - View commit details
-
Copy full SHA for d3417c7 - Browse repository at this point
Copy the full SHA d3417c7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4c5e3db - Browse repository at this point
Copy the full SHA 4c5e3dbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 89313c0 - Browse repository at this point
Copy the full SHA 89313c0View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6a0151c - Browse repository at this point
Copy the full SHA 6a0151cView commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.