Consider disabling npx auto-install by default #9
Comments
|
Hey there! I hope it isn't bad form but I've copied this preexisting issue from npm/npm#19673. I think the behavior this issue describes is a very surprising default and hope it can be moved to feature flag or removed. |
|
I agree, it could at least ask if you want to install package "name_of_package". |
|
This is, for better or worse, an incredibly common usecase for npx. Downloading code from the internet and running it on your machine in one command line may be dangerous (foolish?), but it's also very convenient. People making clis love it because it allows regular releases without needing to worry about leaving 99% of your install base behind, and almost completely avoids issues from end users running outdated versions. End users love it because it's simple. npx is currently the preferred method of running create-react-app and create-next-app. Just some food for thought. Adding a short flag that means both |
|
@heyimalex, thanks for the perspective with references. Maybe there could be a some transition time where relying on the old auto-install behavior shows a warning in one version and then a prompt to install in the next version to allow toolmakers and users to transition.
+1 |
|
And it could still be a feature that people can/need to opt-in for, e.g. using npm config mechanism (or any other that is already in place. |
|
I'm trying to find out where it's installing things and how to remove them? It seems like it's automatically uninstall afterwards. |
|
From an organizational security perspective the auto-install behavior is extremely concerning. This should be considered a security vulnerability. Here is a workaround: |
check_bundle.sh assumes it will be invoked by package.json with an NPM PATH environment. This means you can't run it directly without the bundlesize executable in your PATH. The issue is resolved by wrapping the `bundlesize` invocation in npx. Since [npx will auto-install by default], disable that behavior for safety since the assumption is that the script will be invoked from the MobileFrontend repo. Unfortunately, CI does not have npx so the following hack is used instead: PATH="$(npm bin):$(npm bin -g):$PATH" bundlesize That is, get the local package.json executable directory, get the global bin directory too, and prepend it to PATH. [npx will auto-install by default]: npm/npx#9 Change-Id: I2e13633b1394ad7d7f2ede56416ca932a82a63db
* Update MobileFrontend from branch 'master'
to cd256de71d44ee31d88513999375368159c54a4b
- [dev][fix] use NPM pathing when running bundlesize
check_bundle.sh assumes it will be invoked by package.json with an NPM
PATH environment. This means you can't run it directly without the
bundlesize executable in your PATH.
The issue is resolved by wrapping the `bundlesize` invocation in npx.
Since [npx will auto-install by default], disable that behavior for
safety since the assumption is that the script will be invoked from the
MobileFrontend repo.
Unfortunately, CI does not have npx so the following hack is used
instead:
PATH="$(npm bin):$(npm bin -g):$PATH" bundlesize
That is, get the local package.json executable directory, get the global
bin directory too, and prepend it to PATH.
[npx will auto-install by default]: npm/npx#9
Change-Id: I2e13633b1394ad7d7f2ede56416ca932a82a63db
|
Isn't this fixed in NPM 7: https://blog.npmjs.org/post/617484925547986944/npm-v7-series-introduction In the blog post, they mention that it now asks for confirmation before downloading a package.\ For reference, npx command is now bundled into the main npm/cli repository, this one is no longer used. The commit with the fix is here: npm/cli@3aba8d6#diff-62fc6e653ef5d0f48270b34d19b0fe951ae78674a0fde733eb23295a2d15fb00 |
|
@just-boris, I believe you are correct (although I missed the reference in the blog post): I'll leave the maintainers to decide whether this ticket is still valid or not. |
|
wow!, a malicious user could create npm packages with common typos in the name to compromise random machines. |
|
Spent an hour trying to understand what was the problem with |
|
Agreed this is very worrying, especially given https://github.com/basarat/tsc/blob/master/bin/tsc is the auto-install alias for tsc, creating mysterious problems (associated with running a 6 year-old version of Typescript) and leaving it as a huge target for hijacking. Roll on version 7 and no auto-install being bundled by default. |
|
In npm 7, npx prompts and does not install by default. |
Copied from npm/npm#19673
I'm opening this issue because:
What's going wrong?
A feature of
npxthat I was not aware of until today is that it will auto-install and auto-execute any module not found in path. I discovered this by typingnpx ts(ts module) instead ofnpx tsc(typescript). By the time I realized what happened, the module had already installed and executed on my machine.The module could be malicious, or just plain annoying to undo (e.g. writing certain files around my system, modifying configs, deleting files in current folder, etc). It's hard to know what just got run on my machine without downloading & inspecting the JS in the tarballs.
How can the CLI team reproduce the problem?
Running
npx [command]will auto-install and auto-run a module not installed. This is a handy feature but IMHO it should be opt-in to avoid catastrophic situations where somebody mis-types a module, or runs code from a gist.I realize it's not really different from
npm install [bad-code], but at least the latter is much more explicit and obvious what is happening. I was under the impressionnpxwas used for running local node_modules bin scripts, but not much else. I also tend to typenpx [cmd]more frequently thannpm install, thus it seems more prone to typos/errors.Thoughts? Or is it just me?
EDIT:
Here is a scenario where
npx [cmd]is a bit more problematic than justnpm i.cool-mvc, has a bin script calledfunkytown. The docs guide users to runnpm install cool-mvc && npx funkytownto launch the script in their own project.node_modulesor cd'ing out of the project folder.npx funkytownagain, and the result is surprising. It installs and executes the bin script in thefunkytownmodule, not thecool-mvcmodule. This new module may be malicious, or just an unlucky coincidence.The text was updated successfully, but these errors were encountered: