npmjs.com and preinstall ELF executables
Eric Cornelissen
ericco at kth.se
Fri Jun 12 12:45:00 UTC 2026
Hi,
While waiting for npm v12 you can instruct npm to ignore such script by setting `ignore-scripts=true` in `~/.npmrc`.
However, both for what I and Marc said, there's a catch: the following bypasses any protections in place
```
post_install() {{
cd /tmp
npm install --ignore-scripts=false REDACTED yargs
}}
```
I wrote up https://github.com/npm/rfcs/issues/896 regarding this, please consider adding a +1 or giving feedback.
Regards,
Eric
________________________________
From: rb-general <rb-general-bounces at lists.reproducible-builds.org> on behalf of kpcyrd <kpcyrd at archlinux.org>
Sent: Thursday, June 11, 2026 5:38:10 PM
To: rb-general at lists.reproducible-builds.org
Subject: Re: npmjs.com and preinstall ELF executables
On 6/11/26 5:24 PM, Marc Ohm wrote:
> Hey,
>
> using install scripts to execute malicious behavior is indeed very common.
> Same situation with the setup.py in Python.
>
> For npm, there is a flag that disables the execution of scripts.
> Since npm v12 (estimated release July 2026), scripts are disabled by default.
>
>> allowScripts defaults to off: npm install will no longer execute preinstall,
>> install, or postinstall scripts from dependencies unless they are explicitly
>> allowed in your project.
>
Even better :)
Thanks for the link, I'm looking forward to July!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260612/37a22cdc/attachment.htm>
More information about the rb-general
mailing list