Allow --no-install to be set in a config file
libinvarghese opened this issue · comments
This is clone of npm/npm#19673 and seems relevant here.
Running npx [command] will auto-install and auto-run a module if not installed. This is a handy feature. However there are few scenarios where --no-install
is helpful.
- If the project depends on a certain devDependency version, and would not work on the latest - this could break the build.
- Some projects follow the process of keeping all devDependencies locally.
To avoid using --no-install
in every npx command, could no-install
be set in a config file like npxrc
or in package.json
as below:
{
"npx": { "noInstall": true },
}
I would think --no-install
should be the default behavior (principle of least surprise; see: npm/npm#19673 (comment)). And in that case, if the command is not found, npx's console output should give a hint about the possibility of using an --install
flag, i.e. instead of only reporting not found: <cmd>
.
should be the default behavior
I agree with this sentiment.
However I think there should also be a config available for npx
. Should we raise a separate issue for that? #105 requests that, but people keep focusing on the --no-install
option specifically.
Note that npm-run
is an alternative to npx
, which doesn't have this problem. This is a security issue that's been open for over a year - seems unlikely it will be fixed soon - so moving to a package that behaves in a safe and sane way would seem prudent.