Allowlist for which packages are permitted to run scripts

[arasmussen]

It seems like npm packages are getting compromised left and right. A major attack vector is vulnerable dependencies (e.g. plain-crypto-js) slipping into popular packages (e.g. axios) that are able to run scripts.

I realize that npm has ignore-scripts=true, but for many projects, this is unusable because they do need to run first-party or certain third-party scripts. (e.g. postinstall, sharp)

There are third-party packages like @lavamoat/allow-scripts that are a step in the right direction, but then you need to change from using npm install or npm ci to a different command like npm setup, which is unfortunate. This functionality also really feels like something that should be build into npm, not available via a dep.

[FranciscoG]

All of the other major package managers have this already, npm should have this too.

pnpm has onlybuiltdependencies: https://pnpm.io/settings#onlybuiltdependencies

yarn v4 has dependenciesMeta: https://yarnpkg.com/configuration/manifest#dependenciesMeta

bun has trustedDependencies: https://bun.com/docs/guides/install/trusted