| The fact that any dependency can run a postinstall script is a supply chain attack risk! I believe package managers (npm, pnpm, yarn ..) need to account for a `allowList`-like implementation to give more granularity to what dependency can run a postinstall, as opposed to the all-in or not `--ignore-scripts` option. It can be made backward-compatible, where it's allowed by default if there's no allowList, else, only the allowed deps if present. An empty array would be equivalant to `--ignore-scripts` by default. Orgs/teams can define their own allowList and have it enforced as a policy or a recommendation. I know this is not enough to fully mitigate suply chain attacks, but it'd be a postive step forward. I'm not sure where to post such a proposal? npm ? |