Block install scripts with ignore-scripts

npm and pnpm run lifecycle scripts automatically when you install dependencies. A poisoned package can use those scripts to run code the moment it lands on your machine. Turning on ignore-scripts disables that automatic execution, one of the cheapest, highest-impact hardening steps you can take.

What ignore-scripts does

During an install, npm and pnpm automatically execute the lifecycle scripts a package declares: preinstall, install, postinstall, and for some sources prepare. These hooks exist for legitimate reasons (compiling native add-ons, downloading binaries), but they also hand arbitrary code execution to every dependency in your tree. A compromised package can put a payload in one of these scripts and have it run the instant it is fetched, before you ever import or run anything.

Setting ignore-scripts disables the automatic execution of these scripts. The dependency is still downloaded and unpacked into node_modules, but its install-time hooks never fire.

Turn it on

The key and the file where it lives differ between package managers and versions. Here are the settings DepsGuard recommends and can apply for you.

npm

Add to your .npmrc:

ignore-scripts=true

See the npm config docs.

pnpm

On pnpm ≤ 10, set it in .npmrc (or another rc file):

ignore-scripts=true

On pnpm ≥ 10.16, use the camelCase key in pnpm-workspace.yaml (per project) or the global config.yaml:

ignoreScripts: true

Note: pnpm also blocks dependency build scripts by default and uses an allowlist (onlyBuiltDependencies) to permit the packages you trust to build. See the pnpm settings docs.

Why it matters

Many npm worms have spread entirely through install lifecycle scripts. In the Shai-Hulud campaign, the payload ran from a script that fired automatically on install, stealing credentials and republishing itself to other packages the victim controlled. With scripts blocked, the malicious package simply sits as inert files in node_modules: it is downloaded, but the payload never executes. That breaks the attack chain at the exact point where most of these worms gain their first foothold.

Trade-offs

Heads up: a blanket ignore-scripts=true breaks packages that legitimately need build scripts: esbuild, sharp, node-gyp, and Playwright all rely on install-time hooks. In practice the workable form is an allowlist or approval model: block by default, permit the few packages you actually trust to build.

It is also not a complete defense. A dependency pulled from a git source can ship its own config or run a prepare hook, so pair ignore-scripts with restricting git and remote sources and with a dependency cooldown. Looking ahead, npm v12 (expected in 2026) blocks dependency install scripts by default, managed by an npm approve-scripts allowlist, so on npm v12 setting ignore-scripts yourself is largely redundant for blocking.

Let DepsGuard set it up

DepsGuard checks whether ignore-scripts is configured for the package managers you have installed and applies it in the right file (with a diff preview and a backup before any change), so you do not have to remember which key goes where.

Install DepsGuard Read the hardening guide