trusted dependencies

[gkiely]

What is the problem this feature will solve?
Arbitrary npm scripts being run on postinstall without the developers knowledge.

What is the feature you are proposing to solve the problem?
In light of the recent npm attacks, it would be great to support something similar to bun's trustedDependencies.

This allows a list the most popular dependencies to run on postinstall and requires defining an array of additional dependencies to run in trustedDependencies.

[kchindam-infy]

This is a feature request/discussion rather than a CLI bug. we are going to close it here and recommended moving the conversation to our https://github.com/npm/feedback/discussions or https://github.com/npm/rfcs/discussions

[gkiely]

Looks like this is already in discussion here: npm/rfcs#488.