Skip to content

npm install commands should include --ignore-scripts #4198

New issue
New issue
Open
Open
npm install commands should include --ignore-scripts#4198
Labels
generalIssue or pull request that is not specific to any particular part of the course material
@andorrax101

Description

@andorrax101
andorrax101
opened on Nov 25, 2025

npm install <package-name> allows scripts to be run alongside/during package installation. This has been a vector for one of the worst npm malware attacks to date (see link: https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/)

To help protect students of this course from falling victim to such attacks (and instill good practice when dealing with npm), it may be worth modifying all instances of npm install <package-name> within the course contents to npm install <package-name> --ignore-scripts, along with an explanation of why this is added.

For those who wish to know more, see HN discussion thread: https://news.ycombinator.com/item?id=46032539
A list of affected packages may be found here: https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised

Metadata

Metadata

Assignees

No one assigned

    Labels

    generalIssue or pull request that is not specific to any particular part of the course material

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions