← Back to context

Comment by wrs

2 months ago

Some packages have install scripts that actually need to run (e.g., esbuild).

pnpm refuses to run install scripts from packages you haven’t manually authorized, which helps a bit.

5 comments

wrs

Reply
lrvick  2 months ago

pnpm cannot be built from source without an existing pnpm binary making it ineligible for inclusion in any reproducible Linux distro, for good reason, as there is no way to rule out a trusting trust attack.

Pnpm should be considered for hobby use cases only.

efortis  2 months ago

Yes, at the end of that blog there are two options for that:

  npm install --ignore-scripts=false package-i-trust

Or, trigger the installation script:

  node node_modules/puppeteer/install.js

  • wrs  2 months ago

    The pnpm version of this is persistent. You approve the package once, and regular install works thereafter. Which is nice.

    • DemocracyFTW2  2 months ago

      is that permission tied to a specific version with a specific fingerprint/hash? because if it's not then you could still get a surprise come the next update...

      1 reply →