|
|
|
|
|
|
by STRML
3742 days ago
|
|
|
Unfortunately, it's not as simple as disabling `postinstall` hooks. In dev,, especially, the Node process likely runs as the same user as the one who publishes packages. There is nothing stopping the code from spawning `npm` and publishing a malicious project as soon as it is require()d. And of course, you're requiring it at some point, otherwise why would you install it? A better fix to this issue is to require publishers to enter a two-factor token, to email them to confirm publishing, or the like. Yeah, it makes everyone a bit uneasy with how much trust is involved in the ecosystem. Is there a better solution? |
|
|
Also, disabling install hooks in NPM would make things really difficult for packages that rely on native code as they've traditionally been compiled on install. I consider that an anti-pattern, but it's one that's unlikely to be removed any time soon.