npm-lint VS git-open

That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.

This is not a new problem, you just have another vector.

I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.

https://github.com/tanepiper/npm-lint

Also ended up writing a similar tool but didn't take it much further.

I did try come up with a npm linter but never really completed it.

A while back I wrote a opt-in tool called npl-lint[1] that would allow some CI-level enforcement of rules in package.json although I didn't go too far with it - one thing was to check the scripts section and allow whitelisted apps, or whitelisted sources for dependencies.

It came about because I ended up having a spat with one of the NPM engineers at the time because they launched npx with the ability to run arbitrary gists[2] and this was before 2FA (FWIW you can still absolutely do this with npx).

I wrote a proof of concept[3] that showed you could, inside a package.json add a command to install another package from a gist location, and then use that to steal credentials, bash history, etc.

[1] https://github.com/tanepiper/npm-lint

That how I use git open. Guess I assumed it was more common, so why not.

Project: h5bp/html5-boilerplate, Webfundamentals, GoogleChrome/lighthouse, so-fancy/diff-so-fancy, git-open

You might want to change name to something else. There's already a git-open and I use it extensively!

I love git open[0] but I was always a bit mystified by how a simple "npm install" command can modify what it needs to in order for "git open" to become a valid command.

[0]https://github.com/paulirish/git-open