Open bartlomieju opened 1 year ago
the script would have permissions passed on the CLI applied with missing permissions being prompted for
Just to clarify: you would want to run the postinstall script which could execute arbitrary system binaries, and somehow you are able to constrain the permissions of these binaries based on the command line flags Deno received?
the script would have permissions passed on the CLI applied with missing permissions being prompted for
Just to clarify: you would want to run the postinstall script which could execute arbitrary system binaries, and somehow you are able to constrain the permissions of these binaries based on the command line flags Deno received?
No, that is not possible, it would work like any other Deno program that wants to spawn a subprocess - you would be prompted if you want to run a certain subprocess.
In other words, passing --node-modules-dir --allow-run
upfront will run the postinstall script, passing --node-modules-dir
will prompt for run permission before running the postinstall script, and passing nothing at all will not run the postinstall script. Correct?
In other words, passing
--node-modules-dir --allow-run
upfront will run the postinstall script, passing--node-modules-dir
will prompt for run permission before running the postinstall script, and passing nothing at all will not run the postinstall script. Correct?
Not clear at this moment, I'd err on the side of always prompting for postinstall scripts regardless of permissions passed on the CLI.
Relating to the title of issue, caching npm:matrix-bot-sdk@0.6.3
ends up not running a postinstall script in child dependency @matrix-org/matrix-sdk-crypto-nodejs@0.1.0-beta.3
. Because of that, I have to go there and run npm install
.
I don't understand the focus on postinstall
in this issue. #15611 was closed in favour of tracking this issue, but most of the libraries affected by that problem (e.g. sqlite3, knex, pulsar-client) fail because the install
task isn't being run, rather than postinstall
(see https://github.com/denoland/deno/issues/15611#issuecomment-1330692426)
It meant the same thing in spirit. I renamed the issue.
Related to
Not clear at this moment, I'd err on the side of always prompting for postinstall scripts regardless of permissions passed on the CLI.
It would be great to have a way to configure it, instead of having to pass a lot of consecutive 'enter "Y"' in order to answerY/n in the CI though.
For Sharp specifically, an exciting recent development is that there is a pre-release that presumably can install without custom scripts. I haven't tried it.
@bartlomieju , found that this doesn't install the alpha though:
import sharp from 'npm:sharp@0.33.0-alpha.6';
Result: 0.32.6 appear to be installed... Can I force it somehow?
@birkskyum try with --reload
flag - if not I believe this bug was fixed last week (https://github.com/denoland/deno/pull/20772) and will be released in v1.37.2.
Great! --reload didn't work. I'll attempt to get Deno compiling locally, so that I easier can test against latest main going forward.
Would it be a solution to prompt the user every time a postinstall is about to be fired with options like:
In other words, passing
--node-modules-dir --allow-run
upfront will run the postinstall script, passing--node-modules-dir
will prompt for run permission before running the postinstall script, and passing nothing at all will not run the postinstall script. Correct?Not clear at this moment, I'd err on the side of always prompting for postinstall scripts regardless of permissions passed on the CLI.
Maybe you can add flag --post-install for allowing some npm pkg to work with deno, until building an alternative solution more secure. secure solution may staticly analyze action needed for installing given npm pkg, and interactively ask user to allow needed permissions, ifnot possible to do so (analyze the code ) alert the user that can install this page with some risk (unkown)
^^ by @dsherret
We should consider adding support for "postinstall" scripts, but instead of running them manually users would be prompted to confirm they indeed want postinstall script to run. In such case, the script would have permissions passed on the CLI applied with missing permissions being prompted for.