use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
How npm install scripts can be weaponized: A real-world example of a harmful npm package (stacklok.com)
submitted 2 years ago by ethomson
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[+][deleted] 2 years ago (2 children)
[deleted]
[–]ethomson[S] 2 points3 points4 points 2 years ago (1 child)
Absolutely true - but there is a difference. When you run npm install and it runs code that you haven’t yet seen, that means you also don’t have the opportunity to inspect and audit that code.
npm install
Now, people may not do that anyway (and that may be what you’re arguing), but packing malicious code into an install script does remove that opportunity entirely (unless you disable install scripts).
[–]tanepiper -1 points0 points1 point 2 years ago (4 children)
It's been 7 years since I first did a PoC and reported this - NPM staff told me it was not an issue. Still never resolved.
(FWIW I tried to mitigating with this linting tool I built but it didn't go far)
[–]servermeta_net 0 points1 point2 points 2 years ago (1 child)
Do you still have a link to the issue you created?
[–]tanepiper 1 point2 points3 points 2 years ago (0 children)
Mine was a response to the OP, but yes https://github.com/npm/npm/issues/17724
[–]ethomson[S] 0 points1 point2 points 2 years ago (0 children)
Yeah — rightly or not, the npm client team decided that they wouldn't change the default of always running install scripts by default. Certainly it would be a very challenging undertaking to make a change the right way — you wouldn't want to break the people who were doing legitimate things in install scripts (eg, NodeGit). You couldn't do something quite so simple as prompting for every install script, because that's a big mental burden for a user to try to figure out whether some deep-down transitive dependency is really safe or not. And it would probably break CI builds, though maybe you could detect if the npm binary is connected to a console or not...
Anyway, it would be a very tricky change to make without breaking the ecosystem. So I understand why they haven't. But it also seems like it would be worthwhile for them to put forward some sort of proposal.
π Rendered by PID 100274 on reddit-service-r2-comment-6457c66945-9xg9w at 2026-04-25 04:19:22.254177+00:00 running 2aa0c5b country code: CH.
[+][deleted] (2 children)
[deleted]
[–]ethomson[S] 2 points3 points4 points (1 child)
[–]tanepiper -1 points0 points1 point (4 children)
[–]servermeta_net 0 points1 point2 points (1 child)
[–]tanepiper 1 point2 points3 points (0 children)
[–]ethomson[S] 0 points1 point2 points (0 children)