It's Time for npm to Make Install Scripts Opt-In — npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default, and they've become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm).
It's Time for npm to Make Install Scripts Opt-In — npm is the only major package manager that runs dependency install scripts (e.g.
postinstall) by default, and they've become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm).
This RFC features further discussion of the idea and the tradeoffs involved.
The page is ready to read now. The fuller skim-friendly version will appear here automatically.
It's Time for npm to Make Install Scripts Opt-In — npm is the only major package manager that runs dependency install scripts (e.g. postinstall) by default, and they've become too much of a security weakness, says Jamie, who works for GitHub (maintainers of npm). This RFC features further discussion of the idea and the tradeoffs involved.
#786 — May 19, 2026 Read on the Web JavaScript Weekly RFC: Jamie Magee 💡 npq is a tool that makes npm install s safer. <a href="https://javascriptweekly.com/link/18...
Open the app view to save this story, compare related coverage, and continue from the same source.