Comment by tln
3 months ago
How can we stop having post-install scripts with such access?
Can I turn off those post install scripts globally?
Are there alternatives to npm that do a better job here?
3 months ago
How can we stop having post-install scripts with such access?
Can I turn off those post install scripts globally?
Are there alternatives to npm that do a better job here?
You can use pnpm, which forces you to approve the install scripts you want to run.
Do you approve on every update of the package? Do they offer a way to quickly review what’s going to run and what has changed since the last approval? Otherwise it’s just like another checkbox of “I confirm I read the terms and conditions”