Provide a CLI hook to only install a package with issues after confirmation
complete
Christian Bewernitz
To prevent the initial installation of a package with issues, it would be nice to allow some kind of hook (maybe
preinstall
?) to be added to a project.When it is there and one tries to install a package that has major/minor/any issues it would either just prevent it from being installed, or maybe list some details and ask for a confirmation before going ahead.
If it is a tool that you have to remember to use before running
npm install x
or yarn add x
or ... the impact is likely not that high, but I guess it would also be better than nothing.Maybe it could become a feature of the CLI tool that you are working on?
But maybe a small dependency free npm package that can be run with
npx
will be better to allow it to be run even without any local installation taking place beforehand...
Feross Aboukhadijeh (Socket)
complete
In March 2023, we introduced “safe npm” to protect developers whenever they use npm install.
https://socket.dev/blog/introducing-safe-npm
Feross Aboukhadijeh (Socket)
planned
This is something that we plan to build.
Feross Aboukhadijeh (Socket)
under review
Thanks for the suggestion - we're considering it!