如何在不禁用 package.json 中定义的脚本的情况下禁止 npm 包执行安装后脚本? [英] How to disallow npm packages from executing post install scripts, without disabling scripts defined in package.json?
问题描述
观看一个 不错的 YouTube 视频,其中提到了使用 NPM 包管理器的安全问题,我认为禁止包在安装时执行代码是有意义的.此 NPM 配置将执行此操作:
Watching a nice YouTube video that mentions security concerns using the NPM package manager, I think it makes sense to disallow packages to execute code as they are installed. This NPM configuration will do that:
npm config set ignore-scripts true
但是在 package.json 中定义的脚本不会运行.包括npm start.这很烦人.
But then scripts defined in package.json don't run. Including npm start. This is annoying.
有没有一种方法可以阻止包执行代码(如果我没记错的话,我认为这是安装后脚本)并且仍然允许在 package.json 中定义的脚本运行?
Is there a way that I can prevent packages from executing code (I think it's the post install script if I remember correctly) and still allow scripts defined in package.json to run?
明确一点:我确实想要执行我自己的脚本.我不想在 npm install 期间执行第 3 方脚本.
Just to be clear: I DO want to execute my own scripts. I DON'T want to execute 3rd party scripts during an npm install.
推荐答案
在 npm-install 文档说明:
--ignore-scripts 参数将导致 npm 不执行 package.json 中定义的任何脚本.
The
--ignore-scriptsargument will cause npm to not execute any scripts defined in the package.json.
所以,基本上当你安装一个包时,你需要附加 --ignore-scripts 参数来防止第三方包执行脚本,比如 postinstall.
So, essentially when you install a package you need to append the --ignore-scripts argument to prevent third-party packages from executing scripts, such as postinstall.
例如:
npm install <pkg_name> --ignore-scripts
注意事项:
- 在第三方软件包安装完成后,您仍然可以运行在 package.json 中定义的自己的 npm 脚本.
- After installation of a third party package has completed you can still run your own npm scripts that are defined in package.json.
我认为禁止包在安装时执行代码是有意义的.
I think it makes sense to disallow packages to execute code as they are installed.
这取决于,当使用 --ignore-scripts 参数忽略脚本时,您不能总是保证您安装的软件包功能齐全 - 这取决于 --ignore-scripts 中执行的任务code>postinstall 脚本例如.
That depends, when ignoring scripts using the --ignore-scripts argument you cannot always guarantee that the package you have installed will be fully functional - that depends on what tasks are carried out in the postinstall script for example.
这篇关于如何在不禁用 package.json 中定义的脚本的情况下禁止 npm 包执行安装后脚本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
