NPM_TOKEN and security

[robations]

Hello! I've read in the past that there are potential security issues when installing packages with npm/yarn etc with postinstall scripts for dependencies reading sensitive environment variables (such as NPM_TOKEN), and it's necessary to use --ignore-scripts when installing, especially on CI servers.

Does anyone know if this is still relevant advice? Does it apply to pnpm?

[zkochan]

If you are concerned about this, you can use pnpm.onlyBuiltDependencies to list trusted packages that may run postinstall scripts.

In CI, I guess you can set NPM_TOKEN only for the step that does publish. But pnpm currently doesn't even read the token from NPM_TOKEN, it only reads the token from .npmrc