undefined | Better HN

0 pointsnotnullorvoid6d ago0 comments

Limiting post install as an attack vector is still a good thing.

Node is working on a similar permission model to Deno that allows explicitly granting certain system resource permissions https://nodejs.org/api/permissions.html. Using it should help reduce impact from malicious code, though if you allow wide permissions it's unlikely to help.

0 comments

Rohansi6d ago

> Limiting post install as an attack vector is still a good thing.

If npm got rid of the post install scripts it would permanently break the install process of packages that use it. Affected systems will need to bypass it, stay on an old npm version, or upgrade the packages to versions that work without post install. Meanwhile, attackers switch to a different attack vector and continue.

Who does that help?

notnullorvoidOP5d ago

I said limit post install, not remove them. Having an allow list in package.json of packages which can run post install would work fine. Pnpm already does this.

Having said that I'm not against full on removal of post install either. It would get more pushback, but would still be possible for people to manually run the post install for the few packages that require it, or to add them as a script in package.json.

j / k navigate · click thread line to collapse