The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Show security vulnerabilities, ask for consent before installing something on the user's computer
Current behavior when running npm install on the command line:
- i do an npm install
- things install
- I get a warning of about how many vulnerabilities there are + their level.
- my reaction great! geez i wish i knew
Desired behavior on the command line client:
- do an npm install.
- get meta data about needed packages and if there are any vulnerabilities + how severe they are
- display the same warning to user, ask for consent to proceed
- leave it to the user to weigh in their option before typing y to install anyway
If the number of installs for a package go down, that might create an incentive for package managers to update their dependencies or code. Also, out of respect for the user, we should tell him/her beforehand.
What do you think?