ipmjs icon indicating copy to clipboard operation
ipmjs copied to clipboard

Published 20 hours ago verified publisher icon ipmjs

npm scripts, the good, the bad, and the dangerous

Open AlexanderOMara opened this issue 9 years ago • 3 comments

The package.json scripts are useful, but they are also a potential security issue. For example:

A Malicious Module on npm

Earlier this week a package called rimrafall was published to npm. This package had a preinstall hook that executed the command rm -rf /*. It was created on 01/26/2015 at 15:28 and immediately posted to Hacker News and then it was unpublished from the registry by npm at 17:06 – giving it a lifespan of less than two hours.

I don't know if NPM has done anything about this since, but I don't think this should ever have been possible. Installing a module should never execute arbitrary commands, at least not without first prompting if the command should be run. I think the is one of the mistakes an NPM replacement should not make.

AlexanderOMara avatar Mar 26 '16 00:03 AlexanderOMara

I HATE how npm scripts work to be honest... It's the reason I use Gulp so much, and even made my own lightweight task manager recently. Sometimes I don't even have a CLI to work with in my scripts, and sometimes I just want to do more complex stuff without ending up with a huge line of commands.

I think IPM should do something programmatically with scripts, rather than just short one-line commands to do things... A while back, I was thinking of an idea, to where npm could have a structure like this:

.ipm
└── scripts
    ├── build.js
    ├── custom-script.js
    └── prepublish.js

Where .ipm is a dot-folder, that could contain more stuff in the future... And to run the scripts, I imagine it would be like ipm run <name> (i.e. ipm run custom-script). Though this is quite a heavy proposal, and I'm not sure if everyone would want to go that route.

So, I guess to sum it up, that proposal is like having a very simplistic Gulp that is built-in and separated through multiple files.... Basically like .git/hooks but with JavaScript.

As far as malicious scripts go, I would agree with you that there should be some sort of safety-net... Kind of like how npm run shows you the command when you run it, but perhaps there could be a confirmation prompt (like you suggest) after they see that command.

jamen avatar Mar 26 '16 00:03 jamen

Impressively, NPM apparently still hasn't done anything about this.

http://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

AlexanderOMara avatar Mar 26 '16 18:03 AlexanderOMara

This is a must have!

adelarsq avatar Apr 06 '16 01:04 adelarsq