npmjs.com and preinstall ELF executables
kpcyrd
kpcyrd at archlinux.org
Thu Jun 11 15:38:10 UTC 2026
On 6/11/26 5:24 PM, Marc Ohm wrote:
> Hey,
>
> using install scripts to execute malicious behavior is indeed very common.
> Same situation with the setup.py in Python.
>
> For npm, there is a flag that disables the execution of scripts.
> Since npm v12 (estimated release July 2026), scripts are disabled by default.
>
>> allowScripts defaults to off: npm install will no longer execute preinstall,
>> install, or postinstall scripts from dependencies unless they are explicitly
>> allowed in your project.
>
Even better :)
Thanks for the link, I'm looking forward to July!
More information about the rb-general
mailing list