Tag
lifecycle-scripts
Safeguard articles tagged "lifecycle-scripts" — guides, analysis, and best practices for software supply chain and application security.
3 articles
Open Source
The npm prepare Script: What It Does and How to Use It Safely
The npm prepare lifecycle script runs at more moments than most developers realize, including when someone installs your package from git. Here is exactly when it fires and how to keep it from becoming an attack vector.
Apr 18, 20256 min read
Supply Chain Security
npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain
npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.
Mar 20, 20247 min read
Open Source Security
How to Audit npm Postinstall Scripts Safely
Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postinstall hooks before they execute.
Nov 22, 20234 min read