This post explains how to make npm install safer with --ignore-scripts:
Problem
When you run npm install, package lifecycle scripts can execute arbitrary shell commands on your machine.
For example, a package.json may contain:
{
"scripts": {
"postinstall": "echo do something malicious..."
}
}
This is how attacks like the Shai-Hulud worm work.
A malicious or compromised dependency can:
- steal secrets or tokens
- install malware or backdoors
- access or modify files on your machine
- tamper with build artifacts
Disable Lifecycle Scripts
Ignore lifecycle scripts during install:
npm install --ignore-scripts
This downloads dependencies normally, but prevents lifecycle hooks from executing:
preinstallinstallpostinstallprepare
This is useful when:
- auditing unfamiliar repositories
- testing untrusted dependencies
- reducing supply-chain attack surface
- running installs in CI
One caveat of disabling scripts is that it can break packages that rely on native builds or binary downloads (e.g.,
bcrypt,esbuild,sqlite3, etc.).
Global Disable
To disable lifecycle scripts globally:
npm config set ignore-scripts true
Verify the current setting:
npm config get ignore-scripts