I only do npm install in a docker container where the project and npm cache is mounted. Gives me a bit of security regarding attacks through post install scripts. (--no-scripts is not an option since I need some of them)
When do people ever do npm install if you don’t trust the project or know what install scripts will run? I’m a web developer of 10 years and I’ve never run npm install to install a piece of software. The only time I ever run npm is when I’m doing development for work.
Usually in the “lets see how this random project I cloned from GitHub works for my use case” scenario. I want to see how it works and if it would cover my use case before spending time on checking code and dependencies for security issues.
I only do npm install in a docker container where the project and npm cache is mounted. Gives me a bit of security regarding attacks through post install scripts. (
--no-scriptsis not an option since I need some of them)When do people ever do npm install if you don’t trust the project or know what install scripts will run? I’m a web developer of 10 years and I’ve never run npm install to install a piece of software. The only time I ever run npm is when I’m doing development for work.
Usually in the “lets see how this random project I cloned from GitHub works for my use case” scenario. I want to see how it works and if it would cover my use case before spending time on checking code and dependencies for security issues.
So it doesn’t have any other means of installing I take it.
Usually I take that as a red flag, that it isn’t popular or mature enough. But to each their own.