How to disallow npm packages from executing post install scripts, without disabling scripts defined in package.json?

Question

Watching a nice YouTube video that mentions security concerns using the NPM package manager, I think it makes sense to disallow packages to execute code as they are installed. This NPM configuration will do that:

npm config set ignore-scripts true

But then scripts defined in package.json don't run. Including npm start. This is annoying.

Is there a way that I can prevent packages from executing code (I think it's the post install script if I remember correctly) and still allow scripts defined in package.json to run?

Just to be clear: I DO want to execute my own scripts. I DON'T want to execute 3rd party scripts during an npm install.

Answer 1

In the npm-install documentation states:

The --ignore-scripts argument will cause npm to not execute any scripts defined in the package.json.

So, essentially when you install a package you need to append the --ignore-scripts argument to prevent third-party packages from executing scripts, such as postinstall.

For instance:

npm install <pkg_name> --ignore-scripts

Notes:

• After installation of a third party package has completed you can still run your own npm scripts that are defined in package.json.

• I think it makes sense to disallow packages to execute code as they are installed.

  That depends, when ignoring scripts using the --ignore-scripts argument you cannot always guarantee that the package you have installed will be fully functional - that depends on what tasks are carried out in the postinstall script for example.

• You cannot be specific about which scripts to ignore using the --ignore-scripts argument.

Answer 2

Seems like there's no way to ~~whitelist~~ opt-in to allow scripts only in selected packages.

But, seems like Yarn2 supports it now: https://dev.to/arcanis/introducing-yarn-2-4eh1#perpackage-build-configuration