@lavamoat/preinstall-always-fail - npm Package Compare versions

Comparing version 1.0.0 to 1.0.2

package.json

 {
   "name": "@lavamoat/preinstall-always-fail",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "",
   "main": "index.js",
   "scripts": {
-    "test": "echo \"Error: no test specified\"",
-    "preinstall": "echo \"Don't run npm lifecycle scripts by default, whitelist them with @lavamoat/allow-scripts\" && exit 1"
+    "test": "exit 0",
+    "preinstall": "echo \"Don't run npm lifecycle scripts by default! Create a .yarnrc or .npmrc and set enableScripts: false. Then, whitelist them with @lavamoat/allow-scripts\" && exit 1"
   },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/LavaMoat/LavaMoat.git",
+    "directory": "packages/preinstall-always-fail"
+  },
   "publishConfig": {
@@ -16,3 +21,6 @@ "access": "public"
   "license": "MIT",
-  "gitHead": "f35920ced400e3dfd0c94a64bfdca1a9f567ad23"
+  "engines": {
+    "node": ">=14.0.0"
+  },
+  "gitHead": "0de2b246fbe4f4a6e14f3fce021777cbd3102447"
 }

README.md

 # Pre-Install Always Fail
 
-Worried about accidentally running `yarn` or `npm` with script hooks enabled such as `preinstall` or `postinstall`? Adding this package to a project mitigates the likelihood of running any lifecycle scripts by throwing an error on `preinstall`.
+Worried about accidentally running `yarn` or `npm` with script hooks enabled such as `preinstall` or `postinstall`?
 
+Adding this package to a project **mitigates** the likelihood of running any lifecycle scripts by throwing an error during the `preinstall` script execution.
+
 ## Install
 
 ```
+yarn add @lavamoat/preinstall-always-fail
 npm i @lavamoat/preinstall-always-fail
@@ -13,2 +16,7 @@ ```
 
-If the `--ignore-scripts` flag is disabled, running `yarn` or `npm` will fail. Enable the flag and use in conjunction with Lavamoat's [allow-scripts](https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts) to manually whitelist packages running scripts.
+If the `--ignore-scripts` [[1](#1)] flag is missing, running `yarn` or `npm i` will fail.
+Enable the flag and use in conjunction with Lavamoat's [allow-scripts](https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts) to manually whitelist packages running scripts.
+
+## References
+
+<a id="1">[1]</a>: https://docs.npmjs.com/cli/v7/commands/npm-install#ignore-scripts

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Install scripts

Supply chain risk

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Install scripts

Supply chain risk

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Found 1 instance in 1 package

No repository

Supply chain risk

Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.

Found 1 instance in 1 package

No tests

Quality

Package does not have any tests. This is a strong signal of a poorly maintained or low quality package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

3844

increased by77.39%

Number of package files

4

increased by33.33%

Number of low quality alerts

1

decreased by-50%

Number of lines in readme file

22

increased by57.14%

Number of low supply chain risk alerts

0

decreased by-100%

Worsened metrics

Number of medium supply chain risk alerts

2

increased by100%

No dependency changes