npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Blacklist entire packages

It looks like NPM is now being used to serve advertisements to our terminals. Since I do not consent to seeing these advertisements on my machine, its only fair to the package maintainer that I also do not install their library onto my system. While I would never install the package directly - its quite likely to get pulled indirectly as a dependency of another library.

As far as I can figure, there is no way for me to blacklist an entire package from my system. It would be nice if it were possible.


Have you tried using npm install --silent? This is the documented way to silence output from npm install scripts. You could also purchase npm Enterprise which allows you to whitelist/blacklist packages.

Update: the funding experiment is ended: https://feross.org/funding-experiment-recap/


(Another Idea prompted by same ad experiment : Add adware warning)


--silent does not solve the problem, the code is still on my computer. In this case fine, it hides the output of the adware; but there are other use-cases where blacklisting would be useful.

What if there is a package sending analytics back to somewhere? What if there is a package with a license type my employer has a problem with? There are many reasons I might want to blacklist a package that the npm repo is fine with hosting.


(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)