It seems like npm packages are getting compromised left and right. A major attack vector is vulnerable dependencies (e.g. plain-crypto-js) slipping into popular packages (e.g. axios) that are able to run scripts.
I realize that npm has ignore-scripts=true, but for many projects, this is unusable because they do need to run first-party or certain third-party scripts. (e.g. postinstall, sharp)
There are third-party packages like @lavamoat/allow-scripts that are a step in the right direction, but then you need to change from using npm install or npm ci to a different command like npm setup, which is unfortunate. This functionality also really feels like something that should be build into npm, not available via a dep.
It seems like npm packages are getting compromised left and right. A major attack vector is vulnerable dependencies (e.g. plain-crypto-js) slipping into popular packages (e.g. axios) that are able to run scripts.
I realize that npm has
ignore-scripts=true, but for many projects, this is unusable because they do need to run first-party or certain third-party scripts. (e.g. postinstall, sharp)There are third-party packages like @lavamoat/allow-scripts that are a step in the right direction, but then you need to change from using
npm installornpm cito a different command likenpm setup, which is unfortunate. This functionality also really feels like something that should be build intonpm, not available via a dep.