npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

npm-preflight

v0.0.1

Published

Wrapper around npm install that warns about lifecycle scripts before running them.

Downloads

201

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

designcode87designcode87

Keywords

Readme

npm-preflight

A thin wrapper around npm install that detects preinstall, install, and postinstall lifecycle scripts in newly installed packages, prints them to you, and asks for confirmation before letting them run.

Vibe coded. Use at your own risk — this is a personal tool, not a hardened security product. It catches a real class of supply-chain attack but won't stop a determined attacker, and it won't catch malicious code that runs at require time rather than during install.

Why

Every npm install you run is an implicit decision to execute arbitrary code from every package in the resolved dependency tree. Most of the time that code is benign (node-gyp, esbuild, sharp), but postinstall is also the most common foothold for malicious npm packages. npm-preflight makes that decision explicit.

Install

npm install -g npm-preflight

That puts npm-preflight on your PATH. No runtime dependencies — it's a single Node script.

Usage

Use it exactly like npm:

npm-preflight install <package>           # add a local dep
npm-preflight install -g <package>        # global install
npm-preflight install                     # install from package.json
npm-preflight add <package>               # alias also works

Anything that isn't an install command is forwarded to npm unchanged:

npm-preflight view some-pkg               # → npm view some-pkg
npm-preflight --version                   # → npm --version

What you'll see

When a newly installed package has lifecycle scripts:

  ⚠  Lifecycle scripts detected

Direct dependencies (1):

  [email protected]
    postinstall: node install.js

Transitive dependencies (1):
  • [email protected] [install]

Run lifecycle scripts for 2 package(s)? [y/N]
  • Direct: packages you explicitly asked for. Their full script bodies are shown.
  • Transitive: packages pulled in by your direct deps. Listed with names and which lifecycle hooks they declare. To inspect a script body: npm view <name> scripts.

Answer y to run the scripts (npm rebuild). Answer anything else to skip — files stay extracted on disk but no script executes.

How it works

  1. Snapshots node_modules (or the global prefix's lib/node_modules when -g is used).
  2. Runs npm install --ignore-scripts with your original arguments. Files extract, scripts don't run.
  3. Diffs the snapshot. Only newly added packages are inspected.
  4. Reads each new package's package.json and looks for preinstall, install, postinstall.
  5. On y, runs npm rebuild (scoped to the new packages when you passed names on the command line). On n, leaves files in place but no script ever runs.

Because the inspection happens after resolution, you see the actual versions and scripts npm picked — not just whatever the registry currently advertises.

Limitations

  • Not a sandbox. If you say y, the scripts run with your full user permissions. This tool only gives you a chance to read what they are first.
  • Files are still on disk after n. Saying no skips script execution but the package contents are extracted. A future npm install or npm rebuild in that directory may run the scripts. Run npm uninstall <pkg> if you want it fully gone.
  • Only covers npm install / i / add. Other entry points (npm ci, npm update, pnpm, yarn) are not wrapped.
  • Doesn't catch require-time malware. A package that runs malicious code on require() rather than via lifecycle scripts will not be flagged.

License

MIT