RC npm: install scripts and reproducible installation

[calebbrown]

From looking at data for packages coming through the Package Analysis project I see a lot of NPM packages installing artifacts via preinstall, postinstall and install scripts.

These can be not "reproducible" because:

• no pinning (hash or otherwise)
• use of arbitrary endpoints (e.g. AWS S3 bucket, github gist, custom domain)
• use of package managers with different behavior to npm (e.g. pip install may overwrite shared python deps outside of node_modules)

Some examples:

• use of node-pre-gyp often involves downloading binary artifacts from arbitrary endpoints (often S3 buckets)
• npx will download and run the latest version of the package listed on the command line
• calls to add packages using yarn, npm (yeah...), cargo, bower, pip, etc without any pinning

It is probably worth addressing this scenario in the doc to ensure people are aware of this behavior when trying to ensure their package install is reproducible.

[lirantal]

Just wanting to note here that with npx you can surely specify a version modifier and it's not always latest, even though that is indeed the default. (reference: npx docs)

I'm not entirely sure though what is the point of raising these. As in, these aren't concerns end-users can do something about.

[jeffmendoza]

Agree, there is not much a user can do about it. The point of this section is to describe why a lockfile is important to an application, not to get into the install scripts issues.

We've discussed in other issues, that it is not really feasible at this point to recommend that users use --ignore-scripts or even avoid packages with install scripts as they are very prevalent in the ecosystem and required by those packages. We'll close this out for now and keep an eye on the scripts space for advances.