Is it possible to run any computer command with `npm install`?

Question

After noticing that installing bcrypt runs several commands like CMake. I was wondering if it is possible to run:

File management commands (copy, create, delete)
Other NPM commands (install, update, publish, etc)
Potentially malicious code (rm -rf, system shutdown, etc)

By running npm install [module].

did my answer solved your "problem" ? if yes, please mark it as solved. Better for community — MathKimRobin, Jan 06 '18 at 13:05
@MathKimRobin I was trying to delete the question because it was negatively received but your answer is great, thanks. — adelriosantiago, Feb 07 '18 at 23:22
I'm not sure that you deserve that negative feeling against your question. That's why I answered instead of a flag — MathKimRobin, Feb 08 '18 at 07:11

score 3 · Accepted Answer · answered Jan 02 '18 at 08:17

As described here, any package can bring some scripts automatically triggered before/after the npm install task.

https://docs.npmjs.com/misc/scripts

So in this script, you can have some commands like "rm -rf /*". Even if it will need sudo rights on linux for example.

That's why some services exists like Snyk. It checks and prevents you from known vulnerabilities. You can ask it to auto-create a PR to your repos if it detects problems.

Is it possible to run any computer command with `npm install`?

1 Answers1