JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 23
  • Score
    100M100P100Q106562F
  • License MIT

Run npm installs with lifecycle scripts disabled, then rebuild explicitly trusted dependencies.

Package Exports

  • @gkiely/safe-install

Readme

safe-install

Run npm installs with dependency lifecycle scripts disabled by default, then rebuild only the packages you explicitly trust.

safe-install is for npm projects that want trusted dependency installs without switching package managers.

Why

npm lifecycle scripts can run arbitrary code during install. Setting ignore-scripts=true blocks that whole class of install-time execution, but it also breaks packages that legitimately need postinstall, install, or preinstall scripts to build native bindings, download binaries, or finish setup.

This package keeps the default install locked down and moves script execution behind a reviewed allowlist in package.json.

Setup

  1. Add this to .npmrc:
ignore-scripts=true
allow-git=root
allow-remote=root

allow-git=root and allow-remote=root let your project use direct Git or remote tarball dependencies when you intentionally declare them, while blocking transitive packages from pulling in those sources.

  1. Add script to package.json:
{
  "scripts": {
    "safe-install": "npx -y @gkiely/safe-install"
  }
}
  1. Find dependencies that declare install-time scripts:
npm run safe-install -- review-deps
  1. Review the output, then add trusted packages to package.json. You can also enable blockExoticSubDeps as a lockfile-level backstop for transitive dependencies that point outside the npm registry with git:, file:, link:, or remote tarball URL specifiers.
{
  "blockExoticSubDeps": true,
  "trustedDependencies": [
    "esbuild",
    "sharp"
  ]
}
  1. Use safe-install for future installs:
npm run safe-install

You can pass npm install args through:

npm run safe-install left-pad@latest

You can run npm update through the same command:

npm run safe-install -- update

What safe-install does

safe-install runs npm install with scripts blocked, then runs install scripts only for packages listed in trustedDependencies.

If blockExoticSubDeps is set to true in package.json, safe-install also fails the install before rebuilding trusted dependencies when a transitive dependency points outside the npm registry with a git:, file:, link:, or remote tarball URL specifier.

Equivalent manual flow:

npm install --ignore-scripts --no-audit --no-fund
npm rebuild --ignore-scripts=false esbuild sharp

Notes

Supports npm install flags:

{
  "scripts": {
    "safe-install": "npx -y @gkiely/safe-install --no-audit --no-fund"
  }
}

Only add a package to trustedDependencies after reviewing why it needs an install script. This does not make dependency scripts safe; it makes the trust decision explicit and version-controlled.