Comment by broeng
2 years ago
Why the hell does npm support a postinstall script? There really shouldn't be a need to run arbitrary code provided by the package for something like this.
2 years ago
Why the hell does npm support a postinstall script? There really shouldn't be a need to run arbitrary code provided by the package for something like this.
The package itself is arbitrary code. You're running arbitrary code either way whether it's preinstall, install, post install, or when the package code gets ran.
It's common to need to setup tool chains for code that gets compiled (i.e. a node module that adds language bindings to a C library)
It also supports preinstall and install scripts, for more obvious reasons.
I don't really think thats more obvious. It's expected to install dev libraries, not system services, it shouldn't have that need.
NodeJS isn't very sandboxed. Many "dev libraries" are native and will either download and link to binary blobs, or build e.g. C code, which AFAICT is what all the various install scripts are for.
1 reply →
dependency checking isn't simple