Comment by theodorejb
2 months ago
Many people have non-JS backends and only use npm for frontend dependencies. If a postinstall script runs in a dev or build environment it could get access to a lot of things that wouldn't be available when the package is imported in a browser or other production environment.
Malicious client-side code can still perform any user action, exfiltrate user data via cross-domain requests, and probe the user's local network.
I wonder why npm doesn't block pre/postinstall scripts by default, which pnpm and Bun (and I imagine others) already do.
EDIT: oh I scrolled down a bit further and see you said the exact same thing in a top-level comment hahah, my bad