Skip to content

Configure npm to ignore-scripts#2361

Open
westonruter wants to merge 1 commit intotrunkfrom
add/npm-ignore-scripts
Open

Configure npm to ignore-scripts#2361
westonruter wants to merge 1 commit intotrunkfrom
add/npm-ignore-scripts

Conversation

@westonruter
Copy link
Member

@westonruter westonruter commented Jan 24, 2026

This is a security hardening improvement.

See Core-64543.

@github-actions
Copy link

github-actions bot commented Jan 24, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: westonruter <westonruter@git.wordpress.org>
Co-authored-by: thelovekesh <thelovekesh@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@westonruter westonruter added [Type] Enhancement A suggestion for improvement of an existing feature no milestone PRs that do not have a defined milestone for release skip changelog PRs that should not be mentioned in changelogs labels Jan 24, 2026
@westonruter
Copy link
Member Author

westonruter commented Jan 24, 2026

I realize this will probably break Husky from automatically getting set up.

@westonruter westonruter added skip changelog PRs that should not be mentioned in changelogs and removed skip changelog PRs that should not be mentioned in changelogs labels Jan 24, 2026
@thelovekesh
Copy link
Member

thelovekesh commented Jan 29, 2026

This would be a somewhat restrictive change, since we do occasionally need postinstall scripts, especially when a dependency needs to compile native C or C++ modules.

If we go down this path, it would make more sense to switch to a better package manager that supports whitelisting packages allowed to run postinstall scripts, such as Bun.

These modern package managers also come with several additional benefits, like cooldown periods when installing new dependencies, and they are also insanely fast.

@westonruter
Copy link
Member Author

westonruter commented Jan 29, 2026

This would be a somewhat restrictive change, since we do occasionally need postinstall scripts, especially when a dependency needs to compile native C or C++ modules.

Is this needed for this repo, however?

If we go down this path, it would make more sense to switch to a better package manager that supports whitelisting packages allowed to run postinstall scripts, such as Bun.

I hesitate to diverge from using a package manager different from what is being used in core or Gutenberg.

@thelovekesh
Copy link
Member

thelovekesh commented Jan 29, 2026

Is this needed for this repo, however?

Not sure, but it's just a possibility in addition to what you noted for husky.

@westonruter
Copy link
Member Author

westonruter commented Jan 29, 2026

In the meantime, I've added a ~/.npmrc with ignore-scripts = true.

@thelovekesh
Copy link
Member

thelovekesh commented Jan 29, 2026

Also, it would be better if we can add a command like setup to run any required lifecycle scripts and document it to run it manually while setting up the project for the first time.

@westonruter westonruter mentioned this pull request Feb 1, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no milestone PRs that do not have a defined milestone for release skip changelog PRs that should not be mentioned in changelogs [Type] Enhancement A suggestion for improvement of an existing feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@westonruter @thelovekesh

Comments