Replies: 7 comments 15 replies
-
I think this is a good idea for other package managers as well as it would help reduce the threat of supply chain attack. |
Beta Was this translation helpful? Give feedback.
-
maybe add a command that can list which dependencies have a post install script to so that if a dependency needs it could be added to the allowlist |
Beta Was this translation helpful? Give feedback.
-
Not sure that a trusted list would have stopped something like rspack (someone probably would have trusted it to run install scripts). |
Beta Was this translation helpful? Give feedback.
-
maybe also add to the lock file a checksum of the postinstall script (maybe also with js and other executable files) so that it's easier to spot if something isn't correct |
Beta Was this translation helpful? Give feedback.
-
My instinctive preference is "no" as it would block functionality like this which unzips in a postinstall step: https://johnnyreilly.com/smuggling-gitignore-npmrc-in-npm-packages That said, I understand the rationale. Would there be a way to allow a postinstall for dependencies you trust? That way instructions could be put in a As long as there's a way to opt in it's probably fine. I guess the issue is if there isn't, then a whole class of packages stop being compatible with pnpm |
Beta Was this translation helpful? Give feedback.
-
Just to add another use case of useful post install scripts Installing TS lib from GitHub directly, post install script runs compilation and there you go Very nice, when you instead of waiting for release of fix, can directly use upstream version |
Beta Was this translation helpful? Give feedback.
-
For the record: Would be great to share the allowlist format. The way the allowlist identifies the packages has to avoid being tricked with bundled dependencies and git/url installs having the same name in their package.json |
Beta Was this translation helpful? Give feedback.
-
There was recently an incident with rspack, where it was published with a postinstall script that contained malware. Such incidents happen from time to time, so it could be a good idea to stop running the scripts of dependencies by default, starting from pnpm v10.
Prior art: bun already blocks the scripts of dependencies (unless they are from a "trusted list"). We won't have a default trusted list.
97 votes ·
Beta Was this translation helpful? Give feedback.
All reactions