npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Standard way to write a message after package install

There are more and more packages that add a postinstall script to write some message after installing a package, usually suggesting to support package’s author. There are few issues with this:

To solve this, provide a new field in package.json (for example installMessage) to specify a message that would be printed after installing a module. Additionally, it may add a limit to the length of logged message and add a config option to opt-out of it.

Yarn issue

I’m all for a faster installation process. I don’t see a problem with authors using the postinstall script however they please as long as it’s with good intention and optimal performance is kept in mind.

The malicious scripts worry me, but it’s beyond my area of expertise. Are you saying that something malicious could be run via a web request through the postinstall script? Does npm not have checks in place to ensure packages like this don’t get published to the registry in the first place? I know there was recently a “cleaning” of malicious packages that snuck into the registry.

AFAIK, anything malicious that npm could run can be run in postinstall.

I don’t know of any npm tool automatically scanning code, I believe it’s more that users report malicious packages. Maybe there are some other people scanning packages, I know James Davis ran RegExp-DOS-detecting code on a bunch of packages (article) including mine.

Note: you can use --ignore-scripts to not run any (lifecycle) scripts like postinstall when installing. However, some packages, including your own, might rely on scripts. npm can’t really reliably distinguish between “good” and “bad” scripts.

I think you have to buy that article. :laughing:

Yeah, it’s unfortunate that --ignore-scripts usually can’t be utilized to the best of its ability. IMO having an automated module scanner for the registry would be ideal, but I don’t think it could be maintained as open-source. Perhaps a private community-driven initiative is the best way to prevent malicious code from leaking into the registry. I’m unsure of what other communities do (PyPi for example).

Ugh, that’s annoying. This version (possibly a preprint or something) is where I got the DOI from, I assumed it would be better to share that but apparently not lol.