Skip to content

chore: Avoid running postinstall scripts #13830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rafaeelaudibert merged 10 commits into from
Nov 26, 2025
Merged

chore: Avoid running postinstall scripts #13830

rafaeelaudibert merged 10 commits into from
Nov 26, 2025

Conversation

@rafaeelaudibert
Copy link
Member

@rafaeelaudibert rafaeelaudibert commented Nov 24, 2025
edited
Loading

Let's migrate to pnpm to allow us to choose what scripts are run on pre/postinstall and also add our new minimumReleaseAge to avoid installing very recent packages

@vercel
Copy link

vercel bot commented Nov 24, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
posthog Ready Ready Preview Nov 25, 2025 9:34pm

@rafaeelaudibert
chore: Avoid running postinstall scripts
0e248fe 
These are a security risk, let's not run them if not needed

This might not work because yarn 1 doesn't let us choose what dependencies are allowed to run postinstall scripts. We'll need to migrate to pnpm if we fail to build the app with these changes.
@rafaeelaudibert
chore: Migrate to pnpm
abc19f5 
yarn is very hard to make it safe after today's supply chain attack, let's use pnpm - same as our main repo
@rafaeelaudibert
feat: Add missing dep
050edef 
This worked when using yarn because a dependency installed this, but this stopped working when using pnpm because it installs files in different places
@rafaeelaudibert
chore: Add existing dependencies to list
f84b8f0
@rafaeelaudibert
fix: Update browserslist
7f27294
@rafaeelaudibert
fix: Fix incorrect advice
820f67b
@rafaeelaudibert
feat: Add all missing deps to package.json
68d3658 
We were previously using yarn and on yarn you can require transitive dependencies because files are installed like this

```
node_modules
  | node
  | posthog-js
  | posthog-js-dependency-i-can-require
```

on pnpm, on the other hand, they're nested, which means we cannot require dependencies we didn't install - which is much saner

This meant we had to install more packages than before to get this to work
@rafaeelaudibert
chore: add axios
a7051fd
@rafaeelaudibert
chore: sort package.json
8e3de8b
@rafaeelaudibert
chore: Update pnpm lock
3d72208
@rafaeelaudibert rafaeelaudibert force-pushed the harden-posthog-com-no-postscript-installs branch from 8314cff to 3d72208 Compare November 25, 2025 21:14
@rafaeelaudibert rafaeelaudibert merged commit a6f565a into master Nov 26, 2025
12 checks passed
@rafaeelaudibert rafaeelaudibert deleted the harden-posthog-com-no-postscript-installs branch November 26, 2025 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smallbrownbike smallbrownbike smallbrownbike approved these changes

@corywatilo corywatilo Awaiting requested review from corywatilo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rafaeelaudibert @smallbrownbike