Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't auto-install lefthook if not found #602

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Don't auto-install lefthook if not found #602

wants to merge 3 commits into from

Conversation

anthony-hayes
Copy link

@anthony-hayes anthony-hayes commented Jan 5, 2024
edited
Loading

Closes # (issue)

#599

⚡ Summary

As-is, if lefthook is not found, it will auto-install the latest lefthook from npm. (npx auto-fetches by default)

This isn't great:

  1. Security: npm isn't known for being the most secure platform, and if the package was the target of an attack, all lefthook users with node installed would be affected, even those who don't use the lefthook npm package.

  2. User friendliness: installing binaries on the user's computer without their permission isn't great, and one of those lefthook binaries (an .exe file) was flagged by an anti-malware package at my organization.

It seems that the intention was to just print a message when lefthook is not found (which I agree with) and it's possible that using npx's fetch-if-not-installed behaviour was just an oversight when implementing this. That said, anyone who has node installed will not get that far, and will be subject to the auto-install behaviour.

☑️ Checklist

  • Check locally
  • Add tests
  • Add documentation

@dylanlan
Copy link

dylanlan commented Jan 5, 2024

Relates to discussion: #599

mrexox
mrexox reviewed Jan 9, 2024
View reviewed changes
internal/templates/hook.tmpl Outdated Show resolved Hide resolved
internal/templates/hook.tmpl Outdated
then
npx @evilmartians/lefthook "$@"
npx --no-install @evilmartians/lefthook "$@"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand your concern. The @evilmartians/lefthook package indeed installs .exe file. I think it will be better to change this line to npx lefthook "$@".

If we add --no-install here it will confuse people because it will just print

npm ERR! canceled

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/user/.npm/_logs/2024-01-09T09_02_30_257Z-debug-0.log

It's a breaking change and it has to be thought out. Initial intention was to do a seamless run via npx.

Copy link
Author

@anthony-hayes anthony-hayes Jan 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"It's a breaking change and has to be thought out" - totally understand, thanks for taking the time to look at this!

I'd rather just remove the npx lines in that case - for me the auto-install behaviour is problematic even without the .exe 😅 .

e.g. I run brew remove lefthook but then lefthook mysteriously re-installs itself in my npx cache

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I got it 👍 So this PR will wait until I decide to release a major update. Thank you for your contribution!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good! Thanks for solving the .exe issue in the meantime. 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrexox mrexox mrexox left review comments

Assignees
No one assigned
Labels
breaking change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@anthony-hayes @dylanlan @mrexox