There are more and more packages that add a
postinstall script to write some message after installing a package, usually suggesting to support package’s author. There are few issues with this:
Since there are no any guidelines, instead of simply logging message it might do web requests, require huge dependencies, or write a lot of text, seriously slowing install process
Since usually modules don’t have any scripts I remember all these modules, so noticing a new module makes me check what exactly is being executed. If more modules would adopt that practice, a new module appearing there won’t be a surprise, but it actually might be a malicious script
To solve this, provide a new field in
package.json (for example
installMessage) to specify a message that would be printed after installing a module. Additionally, it may add a limit to the length of logged message and add a config option to opt-out of it.