setup-node icon indicating copy to clipboard operation
setup-node copied to clipboard
verified publisher icon actions

Disable scripts

Open jksolbakken opened this issue 2 years ago • 2 comments

Description: It would be nice to be able to configure npm to ignore pre and postinstall scripts.

Justification: Pre/postinstall scripts are a potential security problem.

Are you willing to submit a PR? Yes, see #955

jksolbakken avatar Feb 13 '24 08:02 jksolbakken

Hello @jksolbakken, Thank you for creating this feature request and we will get back to you once we have some feedback :)

aparnajyothi-y avatar Feb 13 '24 11:02 aparnajyothi-y

Some example uses as https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#use-private-packages give good reasoning why, but most importantly it also shows how to run the postinstalls via rebuild in a next step without the secrets. I like that approach a lot.

janbrasna avatar Feb 28 '24 21:02 janbrasna