@lavamoat/preinstall-always-fail
Advanced tools
Comparing version 1.0.0 to 1.0.2
{ | ||
"name": "@lavamoat/preinstall-always-fail", | ||
"version": "1.0.0", | ||
"version": "1.0.2", | ||
"description": "", | ||
"main": "index.js", | ||
"scripts": { | ||
"test": "echo \"Error: no test specified\"", | ||
"preinstall": "echo \"Don't run npm lifecycle scripts by default, whitelist them with @lavamoat/allow-scripts\" && exit 1" | ||
"test": "exit 0", | ||
"preinstall": "echo \"Don't run npm lifecycle scripts by default! Create a .yarnrc or .npmrc and set enableScripts: false. Then, whitelist them with @lavamoat/allow-scripts\" && exit 1" | ||
}, | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/LavaMoat/LavaMoat.git", | ||
"directory": "packages/preinstall-always-fail" | ||
}, | ||
"publishConfig": { | ||
@@ -16,3 +21,6 @@ "access": "public" | ||
"license": "MIT", | ||
"gitHead": "f35920ced400e3dfd0c94a64bfdca1a9f567ad23" | ||
"engines": { | ||
"node": ">=14.0.0" | ||
}, | ||
"gitHead": "0de2b246fbe4f4a6e14f3fce021777cbd3102447" | ||
} |
# Pre-Install Always Fail | ||
Worried about accidentally running `yarn` or `npm` with script hooks enabled such as `preinstall` or `postinstall`? Adding this package to a project mitigates the likelihood of running any lifecycle scripts by throwing an error on `preinstall`. | ||
Worried about accidentally running `yarn` or `npm` with script hooks enabled such as `preinstall` or `postinstall`? | ||
Adding this package to a project **mitigates** the likelihood of running any lifecycle scripts by throwing an error during the `preinstall` script execution. | ||
## Install | ||
``` | ||
yarn add @lavamoat/preinstall-always-fail | ||
npm i @lavamoat/preinstall-always-fail | ||
@@ -13,2 +16,7 @@ ``` | ||
If the `--ignore-scripts` flag is disabled, running `yarn` or `npm` will fail. Enable the flag and use in conjunction with Lavamoat's [allow-scripts](https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts) to manually whitelist packages running scripts. | ||
If the `--ignore-scripts` [[1](#1)] flag is missing, running `yarn` or `npm i` will fail. | ||
Enable the flag and use in conjunction with Lavamoat's [allow-scripts](https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts) to manually whitelist packages running scripts. | ||
## References | ||
<a id="1">[1]</a>: https://docs.npmjs.com/cli/v7/commands/npm-install#ignore-scripts |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Install scripts
Supply chain riskInstall scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Install scripts
Supply chain riskInstall scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Found 1 instance in 1 package
No repository
Supply chain riskPackage does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.
Found 1 instance in 1 package
No tests
QualityPackage does not have any tests. This is a strong signal of a poorly maintained or low quality package.
Found 1 instance in 1 package
3844
4
1
22
0
2