Guidance and practice around production deployment (original) (raw)

Hello, during the Jan 28, 2019 package maintenance meeting, we discussed issues with npm install running preinstall/install/postinstall scripts from packages automatically and that's becoming a concern for users and enterprise deployment of NodeJS.

Meeting minutes: https://github.com/nodejs/package-maintenance/blob/master/meetings/2019-01-28.md

There are three main stages that we are concerned with this:

• regular user running npm install for their development
• npm install during CI builds
• npm install during deployment to dev/staging/production

That last one is a not a good practice to start with, but it happens.

This is mainly a concern for npm and Tierney has opened a discussion here https://github.com/nodejs/package-maintenance/blob/master/meetings/2019-01-28.md and there's been some very good conversations and a talk of an RFC.

I am opening an issue here to keep security WG in the loop and if there's any guidance around this.

Thanks.