npx disabled by default, opt-in only

[troywweber7]

When avn is activated, I've noticed that when I run a misspelled command, it tries to run the command from npx. Since npx can reach out to npm for binaries, I consider this a security risk. Avn should default to this being disabled, but allow users to opt-in to it. At the very least, if that is not possible, I'd like to know how to disable it for my own peace of mind.

Thanks!

Details

• avn avn --version 0.2.4
• node node --version v12.13.1
• nvm nvm --version 0.34.0
• bash bash --version GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

nvm specific

• [X] As an nvm user I am confirming that I did not install with Homebrew

[ljharb]

It could run it with --no-install.

[troywweber7]

It might be doing that already, actually. If I try to run cowsay it tries with npx but fails, whereas npx cowsay actually succeeds. I'm closing this issue because It seems to be save of that already.