Closed calebbrown closed 2 years ago
Just wanting to note here that with npx
you can surely specify a version modifier and it's not always latest, even though that is indeed the default. (reference: npx docs)
I'm not entirely sure though what is the point of raising these. As in, these aren't concerns end-users can do something about.
Agree, there is not much a user can do about it. The point of this section is to describe why a lockfile is important to an application, not to get into the install scripts issues.
We've discussed in other issues, that it is not really feasible at this point to recommend that users use --ignore-scripts
or even avoid packages with install scripts as they are very prevalent in the ecosystem and required by those packages. We'll close this out for now and keep an eye on the scripts space for advances.
From looking at data for packages coming through the Package Analysis project I see a lot of NPM packages installing artifacts via preinstall, postinstall and install scripts.
These can be not "reproducible" because:
pip install
may overwrite shared python deps outside ofnode_modules
)Some examples:
node-pre-gyp
often involves downloading binary artifacts from arbitrary endpoints (often S3 buckets)npx
will download and run the latest version of the package listed on the command lineyarn
,npm
(yeah...),cargo
,bower
,pip
, etc without any pinningIt is probably worth addressing this scenario in the doc to ensure people are aware of this behavior when trying to ensure their package install is reproducible.