undefined | Better HN

0 pointsherpdyderp4mo ago0 comments

Also add it to ~/.npmrc!

0 comments

So, I do this because it's universally recommended, but why does it help?

Can't they just jam the malware into the package itself? It runs with the same permissions on my machine (in unit tests, node servers, etc).

herpdyderpOP4mo ago

> why does it help?

Because install scripts are being actively exploited, so blocking them will reduce your exposure. Install scripts will also run anywhere that runs npm ci, npm install, etc., including build pipelines.

> Can't they just jam the malware into the package itself

Yes. Disabling install scripts won't safeguard you from all attack vectors.

efortis4mo ago

Yes, if the malware is injected in the application code this doesn’t prevent it.

But in some cases it could help for that. For instance, if the package runs in the browser and the payload requires file-system access, etc., then the attack can’t execute in the browser. And if in addition it was added to a life-cycle script, it would be mitigated.

At any rate, it’s worth having `ignore-scripts=true` because NPM life-cycle scripts are a common target (e.g., this one targets `preinstall`).

j / k navigate · click thread line to collapse