Blacklist entire packages

It looks like NPM is now being used to serve advertisements to our terminals. Since I do not consent to seeing these advertisements on my machine, its only fair to the package maintainer that I also do not install their library onto my system. While I would never install the package directly - its quite likely to get pulled indirectly as a dependency of another library.

As far as I can figure, there is no way for me to blacklist an entire package from my system. It would be nice if it were possible.

Have you tried using npm install --silent? This is the documented way to silence output from npm install scripts. You could also purchase npm Enterprise which allows you to whitelist/blacklist packages.

Update: the funding experiment is ended: https://feross.org/funding-experiment-recap/

(Another Idea prompted by same ad experiment : Add adware warning)

--silent does not solve the problem, the code is still on my computer. In this case fine, it hides the output of the adware; but there are other use-cases where blacklisting would be useful.

What if there is a package sending analytics back to somewhere? What if there is a package with a license type my employer has a problem with? There are many reasons I might want to blacklist a package that the npm repo is fine with hosting.

1 Like