Add new EAS Build lifecycle hook: eas-build-post-dependency-install
Thomas
I propose adding a new EAS Build lifecycle hook that runs immediately after package dependencies are installed (e.g., after npm install) but before expo prebuild or pod install.
In our project, we are using ignore-scripts=true to prevent unwanted scripts to run when installing npm packages. That also disables npm's native "preinstall"-hook. We are using @lavamoat/allow-scripts, to run white-listed scripts, after install.
We have to use eas-build-post-install at the moment, but that runs AFTER prebuild. That could cause issues, if there's any packages used in prebuild, that need to run scripts pre or post-install
Brent Vatne
hello! the idea was that you could use the
postinstall
script for this in your package.json, that's interesting that it's disabled. can you use @lavamoat/allow-scripts
to run your scripts instead? or, alternatively, if there are scripts that need to run after install but before prebuild, could you make those config plugins?Thomas
Brent Vatne When using ´@lavamoat/allow-scripts´, we have to run the
allow-scripts
-command manually (which runs all white-listed scrips), after packages is installed (since all pre and postinstall scripts is disabled with ignore-scripts=true set in .npmrc). That is why it would be nice to have a post-dependency-install -hook. I suspect more projects will use ignore-scripts=true in the future, as a security mitigation for malicious packages.
Brent Vatne
Thomas - it seems to me that package managers should support a way for you to block scripts from node_modules but still execute your own package.json scripts, no?
Thomas
Brent Vatne Yes, I agree. But as far as I know, https://docs.npmjs.com/cli/v8/using-npm/config#ignore-scripts is the only option when using npm. Maybe they will add more options in the future
Brent Vatne
Thomas - as far as i can tell, bun, pnpm, and yarn all behave correctly here. npm is the odd one out that doesn't appear to have a good way to ignore postinstall scripts from dependencies while also still behaving correctly with respect to your own project scripts.
Thomas
Brent Vatne That's a good point. I'll definitely investigate if switching our package manager is a viable option for us, if our company policies allow it.
It would still be nice with an option for npm users, though. Since npm is still the default for many, adding this hook in EAS would be a great way to support users who have configured their projects with ignore-scripts=true for security.