You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I know that there has been a lot of discussions about security and vulnerabilities with allowing npm modules to execute scripts when installing. I'm looking all through the npm documentation but its not clear to me when npm will actually run a script via postinstall. Or does it not do it at all anymore?
I'm interested in publishing a module add a npm script to the project's package.json when it's installed. I tried testing it with this:
"postinstall": "npm set-script prepare node"
but when I install the module I get this:
npm ERR! Scripts can’t set from the postinstall script
But then if I try this:
"postinstall": "node -v"
I don't see the node version printed in the terminal. But I don't receive an error either. I also try this:
"postinstall": "touch testfile"
But no "testfile" is created but I also don't get any error.
Also I recently read that postinstall scripts when doing a general npm install but not when installing a specific module like npm install xyz... I'm not sure how accurate that is.
So, can someone clear this up for me? What works and what doesn't? When does postinstall execution of scripts run and when does it not?
I can certainly understand why dev's should be hesitant to allow npm to execute scripts in the background when installing dependencies. But it seems like a very crucial part of the ecosystem that some modules need to be setup when being installed. I don't know if there is any good answer.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I know that there has been a lot of discussions about security and vulnerabilities with allowing npm modules to execute scripts when installing. I'm looking all through the npm documentation but its not clear to me when npm will actually run a script via postinstall. Or does it not do it at all anymore?
I'm interested in publishing a module add a npm script to the project's package.json when it's installed. I tried testing it with this:
but when I install the module I get this:
But then if I try this:
I don't see the node version printed in the terminal. But I don't receive an error either. I also try this:
But no "testfile" is created but I also don't get any error.
Also I recently read that postinstall scripts when doing a general
npm installbut not when installing a specific module likenpm install xyz... I'm not sure how accurate that is.So, can someone clear this up for me? What works and what doesn't? When does postinstall execution of scripts run and when does it not?
I can certainly understand why dev's should be hesitant to allow npm to execute scripts in the background when installing dependencies. But it seems like a very crucial part of the ecosystem that some modules need to be setup when being installed. I don't know if there is any good answer.
Beta Was this translation helpful? Give feedback.
All reactions