Comment by bakkoting

13 minutes ago

They have taken action as of very recently. The latest version [1] of npm warns when there are install scripts and tells you they will be disabled by default in a future version, with a per-dependency opt in mechanism [2].

[1] https://github.com/npm/cli/releases/tag/v11.16.0

[2] https://github.com/npm/rfcs/pull/868

1 comment

bakkoting

Reply
hedora  7 minutes ago

This is way too little, way too late.

To see what I mean, try actually packaging a cross-platform binary dependency in their ecosystem.