npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

my-trusted-package

v1.0.4

Published

it's all good man

Downloads

12

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jonchurchjonchurch

Keywords

trustedinstall script

Readme

My Trusted Package: NPM Lifecycle Script Example

Ladybug in a box labeled "my trusted package"

It is a pleasure to have your trust.

my-trusted-package demonstrates the execution of npm lifecycle scripts during various stages of the npm package lifecycle. It is specifically designed for developers who want to understand and how these lifecycle events are triggered.

Lifecycle Scripts

This package contains the following npm lifecycle scripts:

  • preinstall: Triggered before the package installation begins.

    "preinstall": "echo 'Trust preinstalling!' # (Running preinstall script)"

  • postinstall: Triggered immediately after the package is installed.

    "postinstall": "echo 'Trust Installed!' # (Running postinstall script)"

  • preuninstall: Triggered before the package is uninstalled.

    "preuninstall": "echo 'Trust preuninstalling!' # (Running preuninstall script)"

  • postuninstall: Triggered after the package is uninstalled.

    "postuninstall": "echo 'Trust postuninstalling!' # (Running postuninstall script)"

  • prepare: Triggered in two scenarios: after the package is installed locally (not through the registry) and before the package is packed and published (e.g., during npm publish or npm pack).

    "prepare": "echo 'Preparing Trust!' # (Running prepare script)"

Installation

npm@7 and above do not foreground output from dependency scripts, so you won't know that they've run unless you use --foreground-scripts:

npm install --foreground-scripts my-trusted-package

Monitor the console to see the execution of lifecycle scripts and verify they ran.

Disabling Lifecycle Scripts

To ensure that installation scripts do not execute, install the package with scripts disabled using --ignore-scripts:

# foregrounding for demonstration
npm install --foreground-scripts --ignore-scripts my-trusted-package

Importance of Disabling Install Scripts

As noted by socket.dev, install scripts are a common vector for malware distribution within the npm ecosystem. The majority of malware found in npm packages leverages these scripts, which often execute without thorough vetting by users.

Allowing install scripts to run automatically during npm installations introduces significant security risks. Install scripts execute with the same level of access as the user running the npm install command, which can lead to several severe security threats, including:

  • Modification or theft of data: Scripts can alter or steal files accessible to the user.
  • Installation of malicious software: Scripts can download and install additional malicious packages or software without the user's consent.
  • Unauthorized access to system resources: Scripts may open backdoors for further exploitation by attackers.

Suggested Practices

To effectively manage security risks associated with npm install scripts, you can employ the following technical configurations:

  • Use --ignore-scripts: This command-line option prevents npm from executing any scripts defined in the package's package.json file during the installation process.
    npm install some-package --ignore-scripts
  • Persistently disable scripts: You can set a global configuration in your .npmrc file to consistently prevent the execution of scripts during npm installations. This is done by adding the following line to your .npmrc file:
    ignore-scripts=true