nx pulling unqualified npm packages #2910
Description
Current Behavior
When I run a first nx console command, or when I run nx reset and then an nx console command, a shell appears saying "npm install nx@latest" (this is a windows machine, so I can sometimes see sub-processes flashing up in a shell):
I reported this to @security@nrwl.io before (subject "nx pulling unqualified npm packages"), in their response Thursday, November 27 they asked me to open a ticket with you.
Expected Behavior
Given the recent incident nrwl/nx#32522 and the ongoing attacks on the npm package registry, I am deeply concerned about Nx pulling unqualified (like "latest") NPM packages behind my back.
Steps to Reproduce
Reproduction Repository/Steps:
- on a Windows (don't know how other OS display sub-processes)
nx reset- some nx command, e.g.
nx graph(if you're inside an Nx workspace)
Logs (Required)
Environment
- on Windows 11 command line
Nx Report:
$ nx report
NX Report complete - copy this into the issue template
Node : 24.11.0
OS : win32-x64
Native Target : x86_64-windows
npm : 11.6.2
nx (global) : 22.0.2
nx : 22.1.2
@nx/js : 22.1.2
@nx/jest : 22.1.2
@nx/eslint : 22.1.2
@nx/workspace : 22.1.2
@nx/angular : 22.1.2
@nx/devkit : 22.1.2
@nx/eslint-plugin : 22.1.2
@nx/module-federation : 22.1.2
@nx/playwright : 22.1.2
@nx/rspack : 22.1.2
@nx/web : 22.1.2
@nx/webpack : 22.1.2
typescript : 5.9.2
---------------------------------------
Registered Plugins:
@nx/playwright/plugin
@nx/eslint/plugin
---------------------------------------
Community plugins:
@ngrx/effects : 20.1.0
@ngrx/entity : 20.1.0
@ngrx/operators : 20.1.0
@ngrx/router-store : 20.1.0
@ngrx/store : 20.1.0
@ngrx/store-devtools : 20.1.0
angular-eslint : 20.4.0
---------------------------------------
Cache Usage: 0.00 B / 47.43 GB