A proposal to make npm safer?

November 11, 2021 By Mark Otto 0

Node-RED in Industrial IoT: A Growing StandardNode-RED is a very long standing Node.js-based ‘low code’ environment where you wire components together. As explained here, it’s heavily used in IoT scenarios and is even taking on established commercial systems.

United Manufacturing Hub


  • The next branch of V8 has appeared: V8 v9.7 – a relatively minor one with findLast and findLastIndex methods appearing for Arrays and TypedArrays. Wait for a Node release in a month or two, perhaps.

  • The OpenJS Foundation has updated its Node.js certification exams from Node 14 to Node 16 standards.

Proposal: Make npm‘s Install Scripts Opt In — Recent security issues involving compromised packages are making npm install’s ability to run arbitrary commands seem like a risky proposition. A developer kicked off a discussion by suggesting adding some nuance to how common pre/post-install scripts are run (or not).

Francisco Ryan Tolmasky I, et al.

sudo rm →rf / === npm install — A tale of why copying and pasting random commands from the Internet isn’t a great idea, but then moving on to why install scripts that can ‘run just about anything’ might not be much better. (Note: Title edited for safety.)

Geoffrey Huntley

Find Tech Jobs with Hired — Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It’s free for job-seekers.

🛠 Code & Tools