[FEATURE] introduce new command to alias npx --no-install to avoid possible security issue

Question

[FEATURE] introduce new command to alias npx --no-install to avoid possible security issue

Opened this issue 5 years ago · 2 comments

What / Why

npx is widely used to bootstrap various projects using the latest available packages in the npm registry without having to install them locally and keeping up to date whenever one wants to use them. I think that this is the one feature the public is aware of the most, at least in my circles.

It was only after I got frustrated with a package which used a different name for its executable, failing to run it big time, when I discovered that npx is meant to run packages first, then install them from npm as a fallback. Turns out there were much more people surprised as me (from the library's issues).

Moreover, the name this package used for its executable refers to a completely different package in the npm which also imposes a possible security threat.
I have already warned the library authors to use --no-install with all their npx commands in the docs, but that will just bother the end user.

To avoid confusion and security leaks, I suggest that npx --no-install or npx --ignore-existing be separated to different commands altogether.

related #9

One idea that crossed my mind (to avoid completely different executable names) is to use npx <package> to run local packages and npx i <package> to run them with installation, which is a pattern already known from npm.

Answer 1 · 2020-01-31T14:15:13.000Z

Is your suggestion to introduce new executables so people don't need to type npx --no-install?

Regarding this issue in general and the last section specifically,
I don't get how this is different from the discussion already present in #9.

I think creating more issues with very similar topics doesn't really help in cases of repositories that are not very well maintained.

Answer 2 · 2020-02-03T14:19:51.000Z

Yes, #9 would be probably better, but it's not backwards compatible and could break things, am I wrong?

Generally I don't mind how this is going to be resovled.

I didn't mean it as a way to make life easier to lazy devs, but to library authors to be able to write concise understandable installation steps without side effects and not well known behaviour. Having to always write --no-install or --ignore-existing introduces overhead for both, the library authors and consumers.

Having two commands would clear the confusion, reduce the wtf factor and improve the security as well.

I think we can both agree that people are not aware of the current function and raise issues of unexpected behaviour in both ways.

You may close this issue if you prefer a change to npx over adding a suplementary command.