bun icon indicating copy to clipboard operation
bun copied to clipboard
Published 3 days ago verified publisher icon oven-sh

Support `privilegedDependencies` in `package.json`

Open Electroid opened this issue 2 years ago • 0 comments

There are npm packages, like esbuild, that need postinstall support to install binaries or run other scripts. While we could allow any package to run scripts, that wouldn't be the safest thing to do. We also can't not support it at all, because these packages would simply not work.

We're thinking of adding a new privilegedDependencies property to the package.json, which would require developers to explicitly define an allowlist of packages that are allowed to run scripts.

{
  "private": true,
  "dependencies": {
    "esbuild": "^0.17.8"
  },
  "privilegedDependencies": [
    "esbuild"
  ]
}

This would not extend to child dependencies, so if package foo depends on bar, and foo is on the allowlist, bar is not on the allowlist, unless it is explicitly added.

Electroid avatar Feb 14 '23 17:02 Electroid