Packages that use pinst are broken when they are installed with npm 10.4.0 and later

Question

Packages that use pinst are broken when they are installed with npm 10.4.0 and later

Closed this issue 5 months ago · 9 comments

Hello.

Just a heads up that npm 10.4.0 and later seem to have broken pinst. It seems that npm 10.4.0 runs scripts named _postinstall after package installation exactly as if they were named postinstall.

This seems to be a bug in npm, but I am reporting it here for visibility. See npm/cli#7322.

Answer 1 · 2024-03-29T14:01:37.000Z

Thanks for letting me know! I hope it'll get resolved soon.

Answer 2 · 2024-03-29T14:02:59.000Z

It should have a low impact as pinst is useful for yarn in particular

Answer 3 · 2024-03-29T14:56:11.000Z

Unfortunately the problem occurs at package installation time, so it affects packages built with yarn if the end user installs them with npm.

Some of my packages use yarn and pinst, and if you install those packages as a dependency in another project with npm 10.4.0+, then npm will try to run the _postinstall script, and either fail or do something stupid.

Answer 4 · 2024-03-29T20:03:15.000Z

You're right, didn't see things from this point

Answer 5 · 2024-04-19T18:47:32.000Z

Hi @typicode. The above description of this problem is not accurate, but there is a problem you ought to know about.

I've emailed you privately about this for reasons that will become apparent when you read the email. Please be on the lookout for an email from mail@danielcassidy.me.uk.

Closing this issue for now.

Answer 6 · 2024-06-13T17:01:52.000Z

What's the solution here ? This seems still the problem

Answer 7 · 2024-07-18T09:17:01.000Z

@technophile-04 The workaround is to remove pinst --disable and pinst --enable from your prepack and postpack scripts and run them in some other way before and after you perform a release. You could do this manually or write a separate release script.

Personally I use GitHub Actions and semantic release to perform releases automatically, so I simply modified my GitHub Actions workflows to run yarn pinst --disable before yarn semantic-release, and yarn pinst --enable after.

Answer 8 · 2024-07-18T10:31:43.000Z

The reason I was being cagey about what causes this is that it relates to a security flaw in npm. I reported all the details to npm in April and also shared the details with @typicode, but otherwise I kept them private to avoid the flaw being exploited.

npm have had plenty of time to fix the flaw and don't seem to have done anything, so I've decided enough is enough and am publishing my findings here: https://gist.github.com/djcsdy/2f5a287b3ba16f2a8f0312f45588e6ce

If anyone comes to this bug wanting to understand what's going on, the above link will explain everything.

Answer 9 · 2024-08-07T16:16:45.000Z

I also encountered this and wrote up some test code to confirm that pinst doesn't really work anymore for Yarn 2+ users: https://github.com/blimmer/husky-npm-prepare-issue/actions/runs/10287849621/job/28471879804

The _postinstall rename doesn't work with newer versions of node/NPM.