TLDR
-
Thin npm wrapper that blocks all lifecycle scripts by default, then reruns them only for an explicit
trustedDependencies allowlist in package.json.
Key Takeaways
-
Set
ignore-scripts=true in .npmrc; safe-install handles the rebuild step for approved packages like esbuild or sharp.
-
review-deps subcommand surfaces which installed packages declare install-time scripts, making the audit step concrete.
-
blockExoticSubDeps flag fails installs when any transitive dep uses git:, file:, link:, or remote tarball specifiers outside the npm registry.
-
Trust decisions live in
package.json and are version-controlled, not per-developer environment settings.
-
Equivalent to manually chaining
npm install --ignore-scripts then npm rebuild --ignore-scripts=false <pkg>, but automated and reviewable.
Hacker News Comment Review
-
No substantive HN discussion yet.
Original | Discuss on HN
