Nicholas Zakas
๐ค SpeakerAppearances Over Time
Podcast Appearances
And so I think any package manager that would start from scratch or any registry that would start from scratch now would be wise to not even have this concept of pre-install and post-install scripts and just say, you know, we're not dealing with compiled packages at all, which is what JSR does.
But if you want to enable compiled packages, it's kind of the necessary evil you have to accept.
No, so the threat is that the pre-install and post-install can run anything.
It might not compile anything.
And this is what happened last year, was these packages would download and install TruffleHog, which is a secret scanner, and just execute it and find all the secrets and tokens on your computer when you downloaded it.
It's one of those...
situations that like Dino was trying to prevent with its permission system.
Like, okay, you have an NPM package.
Like, should it be able to call back out to the internet for some reason?
by default, like that kind of seems like a bad idea.
And so the permission system in Deno was built so that anytime a package was trying to do something that was unanticipated, reach out to the network, read something on the file system, you would have to opt into that behavior.
And I know there's been some experiments with that on NPM.
I don't think that those
permissions actually applied to pre- and post-install scripts, if I remember correctly.
But that is something that they could look at as well, of just like, okay, maybe pre-install, post-install scripts are not allowed to just willy-nilly go out to the internet.
Maybe they need to get opt-in permission from the user in order to do that first.
I imagine that would be a little bit more complicated than I'm making it sound.
But it's another option around those.
I mean, my preferred option, which I talked about in the post...
is just say hey you know if a package previously did not have a pre-install or a post-install script and then it adds one like don't allow it to be a patch or a minor version upgrade like force it to be a major version upgrade