You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #4001 we discussed the possibility of evil packages using the npm alias to bypass the onlyBuiltDependencies limitation. Currently, we're using a .pnpmfile to manually implement the allow list.
Describe the solution you'd like
A new field in package.json/pnpm called approvedUnusualResolution
pnpm will fail with the following message and it will not try to install/execute lifecycle scripts.
Cannot install "looks-normal-but-evil@0.0.1":
It depends on "wyvern-js", but using an unapproved source "https://my-evil-npm-package.com/wyvern-js.tar.gz"
It depends on "another-package-that-requires-install-script", but using an unapproved source "https://my-evil-npm-package.com/install-evil.tar.gz"
Describe the drawbacks of your solution
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered:
Describe the user story
In #4001 we discussed the possibility of evil packages using the npm alias to bypass the
onlyBuiltDependencies
limitation. Currently, we're using a.pnpmfile
to manually implement the allow list.Describe the solution you'd like
A new field in
package.json/pnpm
calledapprovedUnusualResolution
Then if a dependency
looks-normal-but-evil
tries to declare the dependency as:pnpm will fail with the following message and it will not try to install/execute lifecycle scripts.
Describe the drawbacks of your solution
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: