I only do npm install in a docker container where the project and npm cache is mounted. Gives me a bit of security regarding attacks through post install scripts. (--no-scripts is not an option since I need some of them)
When do people ever do npm install if you don’t trust the project or know what install scripts will run? I’m a web developer of 10 years and I’ve never run npm install to install a piece of software. The only time I ever run npm is when I’m doing development for work.
I only do npm install in a docker container where the project and npm cache is mounted. Gives me a bit of security regarding attacks through post install scripts. (
--no-scriptsis not an option since I need some of them)When do people ever do npm install if you don’t trust the project or know what install scripts will run? I’m a web developer of 10 years and I’ve never run npm install to install a piece of software. The only time I ever run npm is when I’m doing development for work.