<!--stroma53382arroba #821
Description
Copied from npm/npm#19673
I'm opening this issue because:
- npm is doing something I don't understand.
What's going wrong?
A feature of npx that I was not aware of until today is that it will auto-install and auto-execute any module not found in path. I discovered this by typing npx ts (ts module) instead of npx tsc (typescript). By the time I realized what happened, the module had already installed and executed on my machine.
The module could be malicious, or just plain annoying to undo (e.g. writing certain files around my system, modifying configs, deleting files in current folder, etc). It's hard to know what just got run on my machine without downloading & inspecting the JS in the tarballs.
How can the CLI team reproduce the problem?
Running npx [command] will auto-install and auto-run a module not installed. This is a handy feature but IMHO it should be opt-in to avoid catastrophic situations where somebody mis-types a module, or runs code from a gist.
I realize it's not really different from npm install [bad-code], but at least the latter is much more explicit and obvious what is happening. I was under the impression npx was used for running local node_modules bin scripts, but not much else. I also tend to type npx [cmd] more frequently than npm install, thus it seems more prone to typos/errors.
Thoughts? Or is it just me?
EDIT:
Here is a scenario where npx [cmd] is a bit more problematic than just npm i.
- A popular package,
cool-mvc, has a bin script calledfunkytown. The docs guide users to runnpm install cool-mvc && npx funkytownto launch the script in their own project. - At some point, the user loses reference to the bin script, e.g. by deleting the local
node_modulesor cd'ing out of the project folder. - The user runs
npx funkytownagain, and the result is surprising. It installs and executes the bin script in thefunkytownmodule, not thecool-mvcmodule. This new module may be malicious, or just an unlucky coincidence.
Originally posted by @niedzielski in npm/npx#9