33

I just watched a talk where the speaker recommended running:

npm config set ignore-scripts true

so that post-install scripts and pre-install scripts of a package don't run. That way, you would avoid a virus in a malicious package.

My question is: After running this command, must I do anything differently to npm install packages and get them to work within a project?

If running this command comes with no additional inconvenience when using npm, then running it would have no downside. It would only help you avoid viruses.

If this was the case, why wouldn't this be the default setting?

I ask because I assume that by ignoring package scripts, npm packages would behave differently and one would have to do more things manually.

Dan
  • 641
  • 1
  • 7
  • 17
  • 9
    Some packages run `pre`/`post` `-install` scripts for setup/configuration purposes. Whilst setting`ignore-scripts` to `true` _may_ mitigate malicious code it can, and often does, result in package(s) being installed that simply do not function. – RobC Dec 24 '19 at 19:19
  • if 'npm config set ignore-scripts true' creates the above problem mentioned by @RobC what do you think about npm install --ignore-scripts, is it any better. – Ashique Desai May 22 '20 at 06:41
  • 6
    @AshiqueDesai - The [`--ignore-scripts`](https://docs.npmjs.com/cli/install) option yields the same functionality as [`npm config set ignore-scripts true`](https://docs.npmjs.com/misc/config#ignore-scripts). So regarding your specific question; _"is it any better?"_, the answer is _"No"_ because they're essentially the same. Either (or both) methods will cause npm to not execute any scripts defined in the _package.json_. – RobC May 22 '20 at 08:42
  • @RobC Wouldn't running `npm install SOMEPACKAGES --ignore-scripts` prevent `pre / post` scripts from running for that particular install while still allowing npm package.json scripts to work (ie `npm run start`)? This is unlike setting `npm config set ignore-scripts true` that does it by default for all future scripts. – SILENT Oct 22 '20 at 18:31

3 Answers3

7

I agree with @RobC here. It also disactivated running custom scripts in my package.json completely for me, which obviously is a deal breaker since you can't define and run your custom scripts anymore.

Although it's probably useful to think about these security concerns, I don't think running npm config set ignore-scripts true is the right option. I ran it as well and ended up turning it back off to keep running my custom package scripts.

So the advice from the video ended up being not all too sound, I guess...

balanceglove2
  • 398
  • 5
  • 12
  • 9
    perhaps this is a good time, the right time even, to reconsider how custom scripts are run -1 for advocating convenience over security and responsible work – jimmont Aug 17 '20 at 12:45
  • 5
    @jimmont Is now another good time, with the recent news of UAParser.js.. – Keith Oct 24 '21 at 18:55
  • To be brutually honest, You should really be using something like `Justfile` instead of `package.json#scripts` – airtonix Nov 09 '22 at 00:43
3

If you want to be safe, use '--ignore-scripts' or the config setting, but also use can-i-ignore-scripts.

It helps you find out which scripts exist (especially when you install new dependencies), but prevents automatically executing new scripts which appear with a new version of a library you already use.

JSchirrmacher
  • 3,243
  • 2
  • 19
  • 27
0

I faced a similar problem when some dependencies need running scripts to build platform-specific code with node-gyp.

Would be nice to have an option in ignore scripts per project to enable specific ones to build.

So far decided to stay on ignore-scripts = true globally in .npmrc and using an extra script in my project that basically does this:

#!/bin/bash
set -e

npm explore sqlite3  -- yarn run install
npm explore bcrypt   -- yarn run install

p.s. yarn does not have explore

Andrew
  • 9
  • 1
  • 3