feat: add npm 'install-hooks-whitelist' option to prevent executing h…

[hendrikdp]

install-hooks-whitelist

feat: add install-hooks-whitelist to restrict lifecycle script execution

What

This change introduces a new install-hooks-whitelist option that limits which packages are allowed to execute hooks during npm install.

When configured, npm install hooks are only executed for packages explicitly listed in the whitelist; hooks from all other packages are skipped.

Why

Npm hooks are a well-known security risk in the npm ecosystem, as they allow arbitrary code execution during install.

While --ignore-scripts disables all hooks, it is often too coarse-grained for real-world usage where certain packages legitimately rely on install scripts.

This option provides a middle ground:

• Preserve necessary install hooks for trusted packages
• Prevent unexpected or malicious script execution from untrusted dependencies
• Improve security posture without breaking common workflows

Behavior

• Hooks run only for packages included in the whitelist
• Hooks for all other dependencies (including transitive ones) are skipped
• Default behavior remains unchanged when the option is not provided

Use cases

• CI environments with strict security requirements
• Enterprises with curated dependency allowlists
• Safer installs when consuming third-party packages

Example

npm install --install-hooks-whitelist="node-sass,core-js"