Show security vulnerabilities, ask for consent before installing something on the user's computer

(Mireille Raad) #1

Current behavior when running npm install on the command line:

  • i do an npm install
  • things install
  • I get a warning of about how many vulnerabilities there are + their level.
  • my reaction great! geez i wish i knew
  • uninstall

Desired behavior on the command line client:

  • do an npm install.
  • get meta data about needed packages and if there are any vulnerabilities + how severe they are
  • display the same warning to user, ask for consent to proceed
  • leave it to the user to weigh in their option before typing y to install anyway

If the number of installs for a package go down, that might create an incentive for package managers to update their dependencies or code. Also, out of respect for the user, we should tell him/her beforehand.

What do you think?