[nikeee]

Bun added `trustedDependencies` [1] to package.json and only executes postInstall scripts coming from these dependencies. I think this is something that should be supported across all JS package managers, even more than version cooldowns.

[1]: https://bun.com/docs/guides/install/trusted

[olalonde]

That's security theater. The package can still run arbitrary code the moment it's actually used.

[nikeee]

That could probably be solved by opting in to the permission model of Node. But that won't work for everybody, especially in legacy applications.

Having trusted dependencies at least drastically reduces the risk that 'git clone && npm install' takes over the entire system.

Cooling down dependencies would certainly help, also.

[alpaca128]

How can you know that a dependency you trust won't be hacked? At best it slightly reduces the risk, but it's not even close to the effectiveness of version cooldowns that just block 100% of fresh updates.

[jazzypants]

Can you help me understand why one would ever need a post-install script in the first place, please?

[c0balt]

Ime the most reasonable case is an optional compilation of native components when prebuilt ones are not compatible. See also node-gyp

[nikeee]

Some tools also install pre-commit hooks. I don't like this practice, but I get why people are using it.

[CamJN]

Compiling native extensions that link against libraries that can’t be included in the package for license reasons. That’s probably the one reason that simply can’t be removed.

[irishcoffee]

To restart a service, or run ldconfig?