> Isn't executing arbitrary code kind of the entire point of NPM though? No. npm is a pack...

nailer • yesterday at 4:56 PM • 1 reply • view on HN

> Isn't executing arbitrary code kind of the entire point of NPM though?

No. npm is a package manager. As mentioned in the comment you're replying to, almost all package managers execute arbitrary code. Eg:

- pip

- Cargo

- apt/dpkg

- dnf/yum

- Homebrew

- RubyGems

- Composer (limited)

- Maven

> Any chance you have a link to something that describes their plans?

https://github.blog/changelog/2026-06-09-upcoming-breaking-c...

Replies

mapontosevenths • yesterday at 9:05 PM

I get what you mean, but an NPM package is just a tarball of arbitrary code and some metadata. The whole point of it is to eventually run that arbitrary code, presumably. Otherwise why would you want to download the tarball and extract it? In fact, what purpose does NPM even serve if it's just a way to host tarballs?

I get the install time and run time execution might feel different, but I don't see how that's a security boundary at all.

I suspect that everyone will just get into the habit of typing --allowScripts all or whatever and nothing will actually change, because there's no point in a version of NPM that doesn't properly set things up for most people.

➕ show 1 reply

alt Hacker News

Replies