All geek questions in one place

How to run a script before installing a new nodejs dependeny

I try to use preinstall npm scripts, but it only starts when checking the project in a new space and launches the standalone version of "npm i"

I need a solution to run the script before the new dependency filed in package.json. It does not depend on the type of dependency: dev or prod. All must check.

For example, when a new developer joins a team and wants to add a new dependency, known as a vulnerability, this script stops the action before changing package.json and displays a warning message for the developer

+5
source share
4 answers

There is no way to do this using npm scripts. So, if you don’t feel that you are implementing one of them, you will have to customize your process. Start by identifying all the problems you are trying to solve with a hook-dependent installation.

You give an example of preventing the installation of a dependent or dependent version. This is not a problem: this is the solution you identified for the problem. Find out what the actual problem is, and then reevaluate your solution to make sure that this is indeed the most appropriate measure.

Perhaps (perhaps) you are afraid of vulnerable code that does this before production. This is a definition of a problem that you can work with. What are the possible solutions? You have already defined a blacklist. But not only this is not supported by your tools, even if it was due to the fact that you kept a blacklist. Considering how fast the world of Node is moving, this is enough to keep several people in full. And this does not even allow you to deploy it for your developers.

The good news is that this is not the only solution: you can establish procedural guarantees against the integration of vulnerable code. If you use a distributed VCS, such as Git, the upload requests are right there: disable clicking on the transfer of authority to the host or development branches, force developers to work in the function branches and send pull requests, and then look at these pull requests and display any new ones dependencies for vulnerabilities when they appear. If you use something like SVN, you can use function branches with code reviews with a similar effect. Your developers get additional views on their code looking for vulnerabilities, optimization, edge cases, etc .; You don’t spend time screening dependencies that no one ever tries to integrate. And no one should worry about getting the latest copy of the blacklist. For this particular scenario, everyone wins with a technological solution over a technical solution.

If you have other reasons to run scripts when installing dependencies, try returning to the root of the problem the same way. As dependency and interaction management with the Node module works, you will probably find that it is preferable to develop better process habits.

+2
source

If you use git, you can use pre-commit / push hooks, the result is almost the same, no vulnerabilities in the code base.

For example, husky and nsp you could do something like this:

{ "scripts": { "prepush": "nsp check" } }
+2
source

Refusing Gabriel's suggestions, because you are worried that developers are wasting time when the added lib does not work nsp check ... You can use the editor extension to run nsp check as code. Husky will then do the pre commit nsp check .

I would also recommend Greenkeeper.io to prevent vulnerabilities before they are discovered.

0
source

If the main problem is that these vulnerable packages are running on your network (since there is no way to prevent these developers from using these programs at all), you can either display a subset of the npm registry that you think is safe or manually add known safe dependencies to this mirror and block access to the main registry https://registry.npmjs.org/ at the network level. This will mean that your developers are stuck waiting for a mirror update, but would require someone to at least stop and think before they can install the problem module.

0
source

Source: https://habr.com/ru/post/1272383/

More articles:


All Articles