npx has a feature to download package if it's not yet installed. I guess this is the main motivation behind giving npx internet access? It would be nicer to allow npx-safe to run without internet access by default, or with some switch, or we should at least mention this in README, since, I think, the behavior is quite surprising and potentially dangerous
With npx-safe eslint, ESLint will have internet access. With "scripts": { "lint": "eslint" } in package.json and npm-safe run lint, it won't
P.S. Thank you a lot for the project. This package has a potential to safe JS ecosystem :)
Scripts that are run with
npx-safestill have network access, even whenallow-netisfalse. See this repository for the detailsThe net access is given explicitly in the code
npxhas a feature to download package if it's not yet installed. I guess this is the main motivation behind givingnpxinternet access? It would be nicer to allownpx-safeto run without internet access by default, or with some switch, or we should at least mention this in README, since, I think, the behavior is quite surprising and potentially dangerousWith
npx-safe eslint, ESLint will have internet access. With"scripts": { "lint": "eslint" }inpackage.jsonandnpm-safe run lint, it won'tP.S. Thank you a lot for the project. This package has a potential to safe JS ecosystem :)