Ask HN: Package.json needs an allowList for the deps that can run postinstall
The fact that any dependency can run a postinstall script is a supply chain attack risk!
I believe package managers (npm, pnpm, yarn ..) need to account for a `allowList`-like implementation to give more granularity to what dependency can run a postinstall, as opposed to the all-in or not `--ignore-scripts` option.
It can be made backward-compatible, where it's allowed by default if there's no allowList, else, only the allowed deps if present.
An empty array would be equivalant to `--ignore-scripts` by default.
Orgs/teams can define their own allowList and have it enforced as a policy or a recommendation.
I know this is not enough to fully mitigate suply chain attacks, but it'd be a postive step forward.
I'm not sure where to post such a proposal? npm ?
No comments yet.