Ability to run `npx` without network access
azerum opened this issue Ā· comments
Scripts that are run with npx-safe
still have network access, even when allow-net
is false
. See this repository for the details
The net access is given explicitly in the code
npx
has a feature to download package if it's not yet installed. I guess this is the main motivation behind giving npx
internet access? It would be nicer to allow npx-safe
to run without internet access by default, or with some switch, or we should at least mention this in README, since, I think, the behavior is quite surprising and potentially dangerous
With npx-safe eslint
, ESLint will have internet access. With "scripts": { "lint": "eslint" }
in package.json
and npm-safe run lint
, it won't
P.S. Thank you a lot for the project. This package has a potential to safe JS ecosystem :)