Forgetting to prefix local path with ./ leads to unexpected installation
k1sul1 opened this issue · 2 comments
I wrote a simple module, that is located injs/admin
. Without thinking about it much, I wrote
import colourizeColourselects from 'js/admin/colourizeColourselects';
and was a bit shocked to see "Installing js..." appear in my terminal, as I certainly didn't want to install anything.
Since anyone can upload basically anything to npm, and npm provides hooks such as postinstall, this is potentially dangerous. Could there be an additional check, just to see if the user actually meant to import a local module instead of blindly? Is js/admin/colourizeColourselects
even a valid name for a package?
Better if provided an option in the command prompt before install is this the package that you want to install 'example-package' if yes from the user then go with installation if not comple without installing that package.
If I wanted to manually confirm something, I would just install the damn package myself. I'm also pretty sure that Webpack doesn't allow prompting while running a watcher.
I stopped using this package shortly after writing this issue since it's just too big of a security risk. It should check for local paths before installing anything.