Is there a way to list all the packages in the dependency tree with preinstall/postinstall hooks? Preferably before doing the installation?

IDK. I usually notice it when it breaks the install

Stupid question, but:

- If it's safe to "ignore scripts", why does this option exist in the first place?

- Otherwise, what kind of cascade breakage in dependencies you risk by suppressing part of their installation process?

Yes, it can break deps, some will not install. Puppeteer is a good example because it installs binaries. But it also shows an error with the cmd needed to complete the installation.

Why it is allowed by default?

> it’s npm’s belief that the utility of having installation scripts is greater than the risk of worms.

NPM co-founder Laurie Voss

https://blog.npmjs.org/post/141702881055/package-install-scr...

Once you run the JavaScript of the npm library you just installed, if it's Node, what's to stop it accessing environment variables and any file it wants, and sending data to any domain it wants?

fs and net can be mitigated with `--permission`

https://nodejs.org/api/permissions.html

Regardless, it’s worth using `--ignore-scripts=true` because that’s the common vector these supply chain attacks target. Consider that when automating the attack, adding it to the application code is more difficult than injecting it into life-cycle scripts, which have well-known config lines.

Nothing, but at least you'll have time to see the audit if it's aware.

Or use pnpm

To delay updates, you mean?

I'm curious though: how do you avoid being stuck on the _vulnerable_ versions, delaying updates?

pnpm disables all install scripts by default and makes it trivial to whitelist the few you need. It's usually just one or two, or sometimes zero, depending on the project. Even without malware, most postinstall scripts are used for spam and analytics, and running them makes your life worse.

npm should have died long ago, I don't know why it's still being used.