Safer npm installation is on the way for Node.js (and all JavaScript)

JavaScript’s package manager, npm, has been in the news lately for allowing supply-chain risks. By default, npm trusts a module’s install scripts, running them automatically. In a recent compromise of Red Hat npm packages, attackers used malicious install scripts to spread a credential-stealing worm.

Some packages do need to run installation scripts. The odbc module, for example, uses node-gyp during installation to compile the driver. On IBM i and other platforms, that compile step may be necessary.

npm’s response

Starting with npm 11.16.0, npm will warn about install scripts that have not been explicitly approved. In npm 12, unapproved scripts are expected to be blocked by default.

If you try to install a package with install scripts under npm 11.6.0, you will receive a warning such as this:

For legitimate packages that need install scripts, the fix is to run npm approve-scripts. For example:

After approval, npm will remember that the package should be allowed to run its install script:

In our case, approving odbc is appropriate because its installation runs node-gyp, which is needed to compile the ODBC driver.

We suggest updating npm now and reviewing any warnings before npm 12 makes this behavior more strict.

To upgrade npm to the latest version:

Thank you to IBM’s Korinne Adler for alerting us to this change.

For more open source support and security help

Contact us for professional open source support and security guidance.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.