Hi there,
I'm reaching out because pre-commit is one of the most depended-on npm packages that runs an install script, and an accepted npm RFC is going to change how those scripts behave.
The RFC blocks dependency install scripts by default during npm install. That's the same thing pnpm, Yarn Berry, Bun, and Deno already do. Users opt back in per package through a new allowScripts field in package.json (or the npm approve-scripts command). The motivation is the run of supply-chain attacks over the last couple of years that used postinstall hooks to run code the moment a package landed in the tree.
For pre-commit, the script that's affected is:
"install": "node install.js"
That script downloads or builds something pre-commit needs to work, so under the new default it won't run unless the user adds pre-commit to their allowScripts. Installs that skip it will likely fail at runtime with a missing-binary error, which is a confusing failure mode for your users. The most robust fix is to move that work to first use, the first time the package is actually run, so it keeps working with no allowlist entry. If it has to stay at install time, please document the allowScripts line prominently in your README.
I wanted to flag this early so you've got time to plan rather than find out when the install warnings start showing up. The full RFC is here: npm/rfcs#868. Happy to answer any questions.
Hi there,
I'm reaching out because pre-commit is one of the most depended-on npm packages that runs an install script, and an accepted npm RFC is going to change how those scripts behave.
The RFC blocks dependency install scripts by default during
npm install. That's the same thing pnpm, Yarn Berry, Bun, and Deno already do. Users opt back in per package through a newallowScriptsfield inpackage.json(or thenpm approve-scriptscommand). The motivation is the run of supply-chain attacks over the last couple of years that usedpostinstallhooks to run code the moment a package landed in the tree.For pre-commit, the script that's affected is:
That script downloads or builds something pre-commit needs to work, so under the new default it won't run unless the user adds
pre-committo theirallowScripts. Installs that skip it will likely fail at runtime with a missing-binary error, which is a confusing failure mode for your users. The most robust fix is to move that work to first use, the first time the package is actually run, so it keeps working with no allowlist entry. If it has to stay at install time, please document theallowScriptsline prominently in your README.I wanted to flag this early so you've got time to plan rather than find out when the install warnings start showing up. The full RFC is here: npm/rfcs#868. Happy to answer any questions.