UI Drafter

Getting rid of
NPM scripts

by Eric Fortis

In 2016 Sam Saccone discovered a vulnerability that allows adversaries to run arbitrary scripts when installing an NPM package of theirs. As mitigation, NPM co-founder Laurie Voss suggests:

  • Option 1: using npm install --ignore-scripts
  • Option 2: adding ignore-scripts=true to .npmrc

UI Drafter uses the latter because it avoids having to remember the flag everytime. But that option disables NPM scripts. Therefore, we end up with two alternatives:

  • Option A: overriding: npm run --ignore-scripts=false test
  • Option B: using a shell script as follows, or a Makefile

case $1 in
  dev)    ./make-dev.js ;;
  test)   mocha "src/**/*.test.js" ;;
  lint)   eslint src ;;
  slint)  stylelint "src/**/*.css" ;;

  prod)   time ./make-production.js ;;
  all)    $0 test && $0 lint && $0 slint && $0 prod ;;

  *)      echo "Invalid task $1" >&2; exit 1 ;;

Which can be ran as:

$ ./make test

If the package is not globally installed, prefix the path:

lint) node_modules/.bin/eslint src ;;

Overriding at installation

If you need packages that install binaries, or rely on running an NPM script, temporarily override the mitigation:

$ npm install --ignore-scripts=false package-i-trust

Overriding a project

If you can't follow the above recommendations for certain project, instead of allowing scripts globally, create an .npmrc file next to the package.json with the following line:



An alternative suggested in the Hacker News thread:

	mocha "src/**/*.test.js"
	eslint src
	stylelint "src/**/*.css"

	sh -c "time ./make-production.js"

all: test lint slint prod

.PHONY: test lint slint prod all
$ make test

Sponsored by: