npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Block installing packages with privileged users

In many cases, when installing a package a post-install script will run. This in its core is not an issue. However, if someone installs a package with a privileged user (root, for example) the post install script will run with said permissions.

Not only this is a dangerous behavior, but it may also cause issues later, as files are written with root permissions.

For example, this is Brew’s output when running it as root.

Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.