Comment by nailer

4 days ago

We've had this discussion since Eazel Linux desktop popularized bash | curl in 2001.

> npm install ... is a much better approach to managing installed packages.

No. Until the upcoming version of npm is out, npm will also run arbitrary code. Almost all common installation tools run arbitrary code. Not doing that is sadly the exception for now.

5 comments

nailer

Reply
TiredOfLife  3 days ago

I use npm 11.16.0 and it did this

npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.

mapontosevenths  4 days ago

Isn't executing arbitrary code kind of the entire point of NPM though? Any chance you have a link to something that describes their plans?

  • nailer  4 days ago

    > Isn't executing arbitrary code kind of the entire point of NPM though?

    No. npm is a package manager. As mentioned in the comment you're replying to, almost all package managers execute arbitrary code. Eg:

    - pip

    - Cargo

    - apt/dpkg

    - dnf/yum

    - Homebrew

    - RubyGems

    - Composer (limited)

    - Maven

    > Any chance you have a link to something that describes their plans?

    https://github.blog/changelog/2026-06-09-upcoming-breaking-c...

    • mapontosevenths  3 days ago

      I get what you mean, but an NPM package is just a tarball of arbitrary code and some metadata. The whole point of it is to eventually run that arbitrary code, presumably. Otherwise why would you want to download the tarball and extract it? In fact, what purpose does NPM even serve if it's just a way to host tarballs?

      I get the install time and run time execution might feel different, but I don't see how that's a security boundary at all.

      I suspect that everyone will just get into the habit of typing --allowScripts all or whatever and nothing will actually change, because there's no point in a version of NPM that doesn't properly set things up for most people.

      1 reply →