| ▲ | hedora 2 hours ago | |
So, I do this because it's universally recommended, but why does it help? Can't they just jam the malware into the package itself? It runs with the same permissions on my machine (in unit tests, node servers, etc). | ||
| ▲ | herpdyderp an hour ago | parent | next [-] | |
> why does it help? Because install scripts are being actively exploited, so blocking them will reduce your exposure. Install scripts will also run anywhere that runs npm ci, npm install, etc., including build pipelines. > Can't they just jam the malware into the package itself Yes. Disabling install scripts won't safeguard you from all attack vectors. | ||
| ▲ | efortis an hour ago | parent | prev [-] | |
Yes, if the malware is injected in the application code this doesn’t prevent it. But in some cases it could help for that. For instance, if the package runs in the browser and the payload requires file-system access, etc., then the attack can’t execute in the browser. And if in addition it was added to a life-cycle script, it would be mitigated. At any rate, it’s worth having `ignore-scripts=true` because NPM life-cycle scripts are a common target (e.g., this one targets `preinstall`). | ||