←back to thread

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)
1208 points jamesberthoty | 1 comments | 16 Sep 25 11:22 UTC | HN request time: 0s | source
Show context
theodorejb ◴[16 Sep 25 15:07 UTC] No.45263347[source]
It's crazy to me that npm still executes postinstall scripts by default for all dependencies. Other package managers (Pnpm, Bun) do not run them for dependencies unless they are added to a specific allow-list. Composer never runs lifecycle scripts for dependencies.

This matters because dependencies are often installed in a build or development environment with access to things that are not available when the package is actually imported in a browser or other production environment.

replies(3): >>45263672 #>>45269128 #>>45273686 #
VPenkov ◴[17 Sep 25 09:36 UTC] No.45273686[source]
It does not, since version 11:

https://docs.npmjs.com/cli/v11/using-npm/changelog#1100-pre0...

replies(1): >>45274759 #
theodorejb ◴[17 Sep 25 12:00 UTC] No.45274759[source]
Yes it does, since the ignore-scripts option is not enabled by default.
replies(1): >>45276822 #
1. VPenkov ◴[17 Sep 25 15:11 UTC] No.45276822[source]
Yes it does, you're correct and I have misread. I can't edit, delete, or flag my initial reply unfortunately.