A drop-in replacement for NPM's script-shell configuration that sandboxes the dependencies' scripts (e.g. deny network access) in response to situations like https://twitter.com/o_cee/status/892306836199800836 .

Targeted platforms:

• OSX via sandbox-exec

npm install --global --ignore-scripts git://github.com/andreineculau/package-sandbox.git
npm config set script-shell "$(which package-sandbox)" --global

Run your npm commands as usual.

By default, package-sandbox will deny network access to all npm scripts that are called as part of npm install, npm run, etc.

If you want to deny more than just network access, use

npm config set package-sandbox-path path/to/sandbox-exec-profile          # next to your top-level package.json
cd && npm config set package-sandbox-path path/to/sandbox-exec-profile    # or in your home folder
npm config set package-sandbox-path path/to/sandbox-exec-profile --global # or globally

and create your own sandbox-exec profile (reference) which may deny reading your SSH keys, writing anywhere else but in specific folders, etc.

If you want to test, clone this repository and let's sandbox it!

cd $(mktemp -d)
git clone git://github.com/andreineculau/package-sandbox.git
cd package-sandbox

export PACKAGE_SANDBOX_ROOT=${PWD}
npm run ping-google    # should fail to ping google.com
npm run ping-localhost # should fail to ping localhost

PACKAGE_SANDBOX_TRACE=1 npm install          # install devDependencies with trace on
find node_modules -name "package.*.trace.sb" # list trace files

NOTE that running with trace on ignores all other rules.

NOTE that the trace files include also sh/bash access.

This is a proof-of-concept.

Contributions are highly appreciated both to the default profile and to the package-sandbox script itself.

Supporting other platforms is secondary at this moment, but if you can cook something up - don't hide!

UNLICENSE