[wp-trac] [WordPress Trac] #64543: Implement `ignore-scripts` to harden npm usage

Thu Jan 22 22:51:43 UTC 2026

#64543: Implement `ignore-scripts` to harden npm usage
------------------------------+-----------------------------
 Reporter:  johnbillion       |      Owner:  (none)
     Type:  task (blessed)    |     Status:  new
 Priority:  normal            |  Milestone:  Awaiting Review
Component:  Build/Test Tools  |    Version:
 Severity:  normal            |   Keywords:
  Focuses:                    |
------------------------------+-----------------------------
 Lifecycle scripts in npm packages -- in particular `postInstall` scripts
 -- are a significant security concern because by default they execute
 automatically for all dependencies.

 Running `npm install` or `npm ci` not only installs packages but also runs
 the `postInstall` script in every direct and transitive dependency in the
 entire dependency tree. [https://socket.dev/blog/ongoing-supply-chain-
 attack-targets-crowdstrike-npm-packages The recent "Shai-Hulud" supply
 chain attack on the npm ecosystem] has been successful in part due to
 `postInstall` scripts that have allowed it to rapidly self-propagate.

 We should strongly consider implementing `ignore-scripts = true` in the
 `.npmrc` file in order to disable the automatic execution of lifecycle
 scripts. This will primarily help protect contributors against malicious
 postInstall scripts that may be introduced by attacks on packages in the
 dependency tree.

 Ironically WordPress core just introduced its own `postInstall` script in
 #64393. This is far from ideal.

 Making this change will cause some short-term pain while we determine the
 best way to ensure that all dependencies continue to work and/or provide
 clear instructions for contributors if manual subsequent steps become
 necessary. As the ecosystem reels from "Shai-Hulud" supply chain attack I
 fully expect to see more packages remove their postInstall scripts in
 favour of documenting subsequent steps necessary to, for example, install
 dependent binaries.

 There's some tooling available to assist with determining which
 dependencies include lifecycle scripts, but not a lot:

 - `npm query ':attr(scripts, [postinstall])'`
 - `npm query ':attr(scripts, [preinstall])'`
 - `npm query ':attr(scripts, [install])'`
 - https://www.npmjs.com/package/can-i-ignore-scripts
 - https://www.npmjs.com/package/@lavamoat/allow-scripts

 Related links:

 -
 [https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html#3
 -minimize-attack-surfaces-by-ignoring-run-scripts OWASP recommends using
 ignore-scripts]
 - [https://socket.dev/blog/pnpm-10-0-0-blocks-lifecycle-scripts-by-default
 pnpm since version 10 no longer runs any lifecycle scripts by default]
 - [https://www.nodejs-security.com/blog/npm-ignore-scripts-best-practices-
 as-security-mitigation-for-malicious-packages NPM ignore scripts best
 practices]

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64543>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform