Standard way to write a message after package install


(ark120202) #1

There are more and more packages that add a postinstall script to write some message after installing a package, usually suggesting to support package’s author. There are few issues with this:

  • Since there are no any guidelines, instead of simply logging message it might do web requests, require huge dependencies, or write a lot of text, seriously slowing install process

  • Since usually modules don’t have any scripts I remember all these modules, so noticing a new module makes me check what exactly is being executed. If more modules would adopt that practice, a new module appearing there won’t be a surprise, but it actually might be a malicious script

To solve this, provide a new field in package.json (for example installMessage) to specify a message that would be printed after installing a module. Additionally, it may add a limit to the length of logged message and add a config option to opt-out of it.

Yarn issue


(Brian Thompson) #2

I’m all for a faster installation process. I don’t see a problem with authors using the postinstall script however they please as long as it’s with good intention and optimal performance is kept in mind.

The malicious scripts worry me, but it’s beyond my area of expertise. Are you saying that something malicious could be run via a web request through the postinstall script? Does npm not have checks in place to ensure packages like this don’t get published to the registry in the first place? I know there was recently a “cleaning” of malicious packages that snuck into the registry.


(Lars Willighagen) #3

AFAIK, anything malicious that npm could run can be run in postinstall.

I don’t know of any npm tool automatically scanning code, I believe it’s more that users report malicious packages. Maybe there are some other people scanning packages, I know James Davis ran RegExp-DOS-detecting code on a bunch of packages (article) including mine.


Note: you can use --ignore-scripts to not run any (lifecycle) scripts like postinstall when installing. However, some packages, including your own, might rely on scripts. npm can’t really reliably distinguish between “good” and “bad” scripts.


(Brian Thompson) #4

I think you have to buy that article. :laughing:

Yeah, it’s unfortunate that --ignore-scripts usually can’t be utilized to the best of its ability. IMO having an automated module scanner for the registry would be ideal, but I don’t think it could be maintained as open-source. Perhaps a private community-driven initiative is the best way to prevent malicious code from leaking into the registry. I’m unsure of what other communities do (PyPi for example).


(Lars Willighagen) #5

Ugh, that’s annoying. This version (possibly a preprint or something) is where I got the DOI from, I assumed it would be better to share that but apparently not lol.