Support for install scripts (ex. "postinstall") for "npm:" specifiers

[bartlomieju]

i'm wondering if maybe we should run post install scripts with a prompt when a user does --node-modules-dir . So the registry cache will always be pure, but the local node_modules won't necessarily be Edit: the reason for this only being done in local node_modules dir is that the user's global cache might get into an inconsistent state if they choose not to run or to run a post install script

^^ by @dsherret

We should consider adding support for "postinstall" scripts, but instead of running them manually users would be prompted to confirm they indeed want postinstall script to run. In such case, the script would have permissions passed on the CLI applied with missing permissions being prompted for.

[KnorpelSenf]

the script would have permissions passed on the CLI applied with missing permissions being prompted for

Just to clarify: you would want to run the postinstall script which could execute arbitrary system binaries, and somehow you are able to constrain the permissions of these binaries based on the command line flags Deno received?

[bartlomieju]

the script would have permissions passed on the CLI applied with missing permissions being prompted for

Just to clarify: you would want to run the postinstall script which could execute arbitrary system binaries, and somehow you are able to constrain the permissions of these binaries based on the command line flags Deno received?

No, that is not possible, it would work like any other Deno program that wants to spawn a subprocess - you would be prompted if you want to run a certain subprocess.

[KnorpelSenf]

In other words, passing --node-modules-dir --allow-run upfront will run the postinstall script, passing --node-modules-dir will prompt for run permission before running the postinstall script, and passing nothing at all will not run the postinstall script. Correct?

[bartlomieju]

In other words, passing --node-modules-dir --allow-run upfront will run the postinstall script, passing --node-modules-dir will prompt for run permission before running the postinstall script, and passing nothing at all will not run the postinstall script. Correct?

Not clear at this moment, I'd err on the side of always prompting for postinstall scripts regardless of permissions passed on the CLI.

[vintprox]

Relating to the title of issue, caching npm:matrix-bot-sdk@0.6.3 ends up not running a postinstall script in child dependency @matrix-org/matrix-sdk-crypto-nodejs@0.1.0-beta.3. Because of that, I have to go there and run npm install.

[treuherz]

I don't understand the focus on postinstall in this issue. #15611 was closed in favour of tracking this issue, but most of the libraries affected by that problem (e.g. sqlite3, knex, pulsar-client) fail because the install task isn't being run, rather than postinstall (see https://github.com/denoland/deno/issues/15611#issuecomment-1330692426)

[dsherret]

It meant the same thing in spirit. I renamed the issue.

[birkskyum]

Related to

• 20071

[birkskyum]

Not clear at this moment, I'd err on the side of always prompting for postinstall scripts regardless of permissions passed on the CLI.

It would be great to have a way to configure it, instead of having to pass a lot of consecutive 'enter "Y"' in order to answerY/n in the CI though.

[birkskyum]

For Sharp specifically, an exciting recent development is that there is a pre-release that presumably can install without custom scripts. I haven't tried it.

[birkskyum]

@bartlomieju , found that this doesn't install the alpha though:

import sharp from 'npm:sharp@0.33.0-alpha.6';

Result: 0.32.6 appear to be installed... Can I force it somehow?

[bartlomieju]

@birkskyum try with --reload flag - if not I believe this bug was fixed last week (https://github.com/denoland/deno/pull/20772) and will be released in v1.37.2.

[birkskyum]

Great! --reload didn't work. I'll attempt to get Deno compiling locally, so that I easier can test against latest main going forward.

[birkskyum]

Would it be a solution to prompt the user every time a postinstall is about to be fired with options like:

• don't execute
• execute once
• execute and add to trusted modules list

[elycheikhsmail]

In other words, passing --node-modules-dir --allow-run upfront will run the postinstall script, passing --node-modules-dir will prompt for run permission before running the postinstall script, and passing nothing at all will not run the postinstall script. Correct?

Not clear at this moment, I'd err on the side of always prompting for postinstall scripts regardless of permissions passed on the CLI.

Maybe you can add flag --post-install for allowing some npm pkg to work with deno, until building an alternative solution more secure. secure solution may staticly analyze action needed for installing given npm pkg, and interactively ask user to allow needed permissions, ifnot possible to do so (analyze the code ) alert the user that can install this page with some risk (unkown)