Skip to content

feat(pnpm): block untrusted package postinstall scripts by default #10140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GiladShoham merged 2 commits into from
Dec 30, 2025
Merged

feat(pnpm): block untrusted package postinstall scripts by default #10140

GiladShoham merged 2 commits into from
Dec 30, 2025
+13 −0

Conversation

@GiladShoham
Copy link
Member

@GiladShoham GiladShoham commented Dec 30, 2025

Block postinstall scripts for known untrusted packages (es5-ext, less, protobufjs, core-js, core-js-pure, ssh) by default. Users can explicitly allow them via allowScripts if needed.

Untrusted Packages Analysis

Package Script Purpose Required Risk
es5-ext Political messaging (geolocation-based) No Medium
less Package manager enforcement No Low
protobufjs Version scheme validation No Low
core-js Donation banner No Low
core-js-pure Donation banner No Low

None of these scripts are required for package functionality.
Copilot AI review requested due to automatic review settings December 30, 2025 16:20
@GiladShoham GiladShoham enabled auto-merge (squash) December 30, 2025 16:21
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by blocking postinstall scripts for known untrusted packages (es5-ext, less, protobufjs, core-js, core-js-pure, ssh) by default. Users can still explicitly allow these packages via the allowScripts configuration if needed.

  • Added a constant list of untrusted package names
  • Modified the script policy resolution logic to automatically block these packages unless explicitly allowed
  • Maintains backward compatibility through the existing allowScripts override mechanism

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
scopes/dependencies/pnpm/lynx.ts
Comment on lines +435 to +440
// Add untrusted packages to ignoredBuiltDependencies unless the user explicitly allows them
for (const untrustedPkgName of UNTRUSTED_PACKAGE_NAMES) {
if (allowScripts?.[untrustedPkgName] !== true) {
ignoredBuiltDependencies.push(untrustedPkgName);
}
}
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The untrusted packages blocking logic is only applied in the default mode (when dangerouslyAllowAllScripts is false), but not when dangerouslyAllowAllScripts is true. This means that setting dangerouslyAllowAllScripts: true will bypass the untrusted package protection entirely, even for packages that should never run scripts due to security concerns.

Consider applying the untrusted packages check regardless of the dangerouslyAllowAllScripts setting, or at minimum adding these packages to the neverBuiltDependencies list in the dangerouslyAllowAllScripts branch (lines 407-411) alongside 'core-js'.
Copilot uses AI. Check for mistakes.
scopes/dependencies/pnpm/lynx.ts
Comment on lines +435 to +440
// Add untrusted packages to ignoredBuiltDependencies unless the user explicitly allows them
for (const untrustedPkgName of UNTRUSTED_PACKAGE_NAMES) {
if (allowScripts?.[untrustedPkgName] !== true) {
ignoredBuiltDependencies.push(untrustedPkgName);
}
}
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The UNTRUSTED_PACKAGE_NAMES array includes 'core-js' and 'core-js-pure', but line 410 also hardcodes 'core-js' in the neverBuiltDependencies list for the dangerouslyAllowAllScripts mode. This creates an inconsistency where 'core-js' is treated differently from the other untrusted packages when dangerouslyAllowAllScripts is enabled.

Consider updating line 410 to use UNTRUSTED_PACKAGE_NAMES instead of hardcoding 'core-js' to maintain consistency and ensure all untrusted packages are handled uniformly.
Copilot uses AI. Check for mistakes.
scopes/dependencies/pnpm/lynx.ts
Comment on lines +435 to +440
// Add untrusted packages to ignoredBuiltDependencies unless the user explicitly allows them
for (const untrustedPkgName of UNTRUSTED_PACKAGE_NAMES) {
if (allowScripts?.[untrustedPkgName] !== true) {
ignoredBuiltDependencies.push(untrustedPkgName);
}
}
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new logic for blocking untrusted packages lacks test coverage. Given that this is a security-sensitive feature that affects package installation behavior, it should have comprehensive tests to verify:

  • Untrusted packages are blocked by default
  • Explicitly setting allowScripts[packageName] = true allows the package
  • Explicitly setting allowScripts[packageName] = false blocks the package
  • The behavior when dangerouslyAllowAllScripts is enabled

Consider adding unit tests for the resolveScriptPolicies function to ensure this security feature works as expected.
Copilot uses AI. Check for mistakes.
@GiladShoham GiladShoham merged commit 7a7292c into master Dec 30, 2025
12 checks passed
@GiladShoham GiladShoham deleted the feat/untrusted-packages-scripts branch December 30, 2025 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@GiladShoham @guysaar223