alt Hacker NewsDownload source. Extract. Move files to correct node_modules folder.
If your distribution requires more than this, then it's not really a module, or combines too many non-modular components, and should be distributed differently.
The ability for npm to run scripts on any level should be removed.
Then we can go back to worrying about namespacing issues.
Replies
You discovered what web development was like in early 2000.
If an attacker can infect the post-install script of an npm package, they can also infect the package source code itself. So if you ever run the project outside the sandbox, you will still get compromised.
It's like saying "I don't trust a software app with an installer, I just want a .zip with the binaries from the same source that I will run myself"
> The ability for npm to run scripts on any level should be removed.
Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.
Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/