preinstall and postinstall are not run

[edoloughlin]

Do you want to request a feature or report a bug?
Bug
What is the current behavior?
preinstall and postinstall scripts are not run

If the current behavior is a bug, please provide the steps to reproduce.
run yarn

What is the expected behavior?
preinstall and postinstall scripts are executed

Please mention your node.js, yarn and operating system version.
yarn 0.15.1
node 4.5.0
Windows 7 (running via Cygwin and/or CMD)

[Jessidhia]

This seems to be intentional.

However, some alternative will need to be found... especially for the many packages that depend on node-gyp running on install.

[dominictarr]

There are a number of modules that use post-install script to download a prebuilt version of a package. (for example: electron-prebuilt, leveldown, sodium-prebuilt)
this makes yarn be slower than npm, also, on platforms where getting built tools setup is a pain (i.e. windows) it means you are able to use prebuilt modules without actually running a compiler.

This makes postinstall very much worth supporting.

[max-degterev]

we use postinstall in our build to create certain "package" symlinks, would also need some sort of postinstall trigger

[michaelperrin]

This issue is a duplicate of #721

[didierfranc]

So what is --ignore-script used for ?

yarn -h

Options:

    -h, --help                  output usage information
    -V, --version               output the version number
    --offline                   
    --prefer-offline            
    --strict-semver             
    --json                      
    --global-folder [path]      
    --modules-folder [path]     rather than installing modules into the node_modules folder relative to the cwd, output them here
    --packages-root [path]      rather than storing modules into a global packages root, store them here
    --mutex [type][:specifier]  use a mutex to ensure only one yarn instance is executing
    --har                       save HAR output of network traffic
    --ignore-engines            ignore engines check
    --ignore-scripts            
    --ignore-optional           
    --force                     
    --flat                      only allow one version of a package
    --prod, --production        
    --no-lockfile               don't read or generate a lockfile
    --pure-lockfile             don't generate a lockfile

[AndreiRailean]

postinstall is also not run in create-react-app, which breaks upgrades facebook/create-react-app#896

[FLGMwt]

Addressed in #800

[sebmck]

Fixed via #800.

[tomek-he-him]

Hey guys, good to know we now have full compatibility with the npm package lifecycle.

But preinstall and postinstall have always been bugging me as a massive security flaw. Supposing an attacker published a patch release to something like https://www.npmjs.com/package/once – he can now execute any code on all machines which use once somewhere in the dependency tree. Thousands or tens of thousands of developer laptops and production servers.

Do you see that as a concern worth addressing?

[max-degterev]

Bit since it's open source, doesn't it make sense to review what you are including in your project anyway?

[tomek-he-him]

@suprMax Any real-world project has at least a couple of hundred dependencies including transitive dependencies. Perhaps I’m doing it wrong (and I’m sure security-oriented startups do this sort of thing), but I’ve never done an audit of all npm scripts of all packages that would be dowloaded prior to installing them or updating them.

[tomek-he-him]

Any real-world project has at least a couple of hundred dependencies including transitive dependencies.

To back this up with data, the project I’m currently working on has 39 dependencies and 63 devDependencies, but the install resolves to 1244 packages in the node_modules directory.

[jamesaspence]

@tomekwi This case you describe would be just as possible if a third party you used had a security exploit, would it not? Either way, you would be unaware of the security hole in your code. I think your concern is valid to a degree, but I don't think it's yarn's responsibility to fix that, nor do I think they really can fix that. It's the developer's responsibility to manage and update his dependancies carefully IMO.

[tomek-he-him]

👍 @jamesaspence

Since one of the core selling points of yarn is full compatibility with npm, I agree supporting hook scripts is unavoidable. What I’m frustrated with is the design of npm, which yarn seems to work around pretty neatly in other aspects. #jsfatigue

Is --ignore-scripts a way to opt out of hooks?

[siebertm]

So what's the status on that issue now?

For example, our app uses node-sass as a dependency. node-sass has a install script, which fetches a prebuilt version from soem remote.

When I yarn install on my local machine, the install script is indeed being run, the prebuild library downloaded and everything is great.

When I yarn install on our CI (GitLab CI to be specific), it doesn't seem to run the install scripts and the prebuilt library is not there, thus I cannot build.

This happens for phantomjs-prebuilt, too.

I now worked around this by adding an postinstall script to my MAIN package.json, which is also run on CI...

[janusch]

@siebertm Are you using the yarn offline-mirror feature?
I am wondering on how I can get the binaries of e.g. node-sass and electron into the offline-mirror?

Is that at all supported, or are there any workarounds that let me use the offline-miror to install from for machines that are not connected to the internet?

Any advice would be greatly appreciated!

[siebertm]

You can't, since the downloading process is iniated by the npm package, not by yarn. Maybe you could ask the node-sass/electron-prebuilt maintainers about this...

…

On Mon, Jan 9, 2017 at 1:55 PM, Janusch ***@***.***> wrote: @siebertm <https://github.com/siebertm> Are you using the yarn offline-mirror feature? I am wondering on how I can get the binaries of e.g. node-sass and electron into the offline-mirror? Is that at all supported, or are there any workarounds that let me use the offline-miror to install from for machines that are not connected to the internet? Any advice would be greatly appreciated! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#853 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAH5atUxkK9DjDdd4TUb5Yy17AmZ8RGks5rQi4wgaJpZM4KUoFM> .

[theinterned]

@siebertm I'd be interested to know what you do in your postinstall script in that MAIN package.json

[janusch]

@siebertm Thank you for the reply!
I will go forward asking the post-install repos if the can imagine a scenario on how to make it work.

Could there be a different approach to getting binaries into the offline-mirror? Is it possible to build e.g. the node-sass source locally and then release to the offline-mirror?
Is it possible to get private custom packages into the offline-mirror?
Do you solve this issue through a custom postinstall, how does that look like?

[smeijer]

@siebertm I'd be interested to know what you do in your postinstall script in that MAIN package.json

@theinterned

• run tests
• apply hacks

The last one sounds dirty, but take materializecss for example. They have a dependency that is incorrectly positioned in my version, I use the postinstall to fix this dependency and copy a file (picker.js) back into the correct folder.

There are valid scenarios for a postinstall hook. Some ideas:

• fix system rights
• cleanup cache
• (re)store database
• run tests
• trigger (web)hook

[damianobarbati]

+1 for this!

[adibas03]

+1

[mrspence]

+1

[karneaud]

+1

[mechanical-turk]

+1 (for cypress)

[mDibyo]

When I yarn install on my local machine, the install script is indeed being run, the prebuild library downloaded and everything is great.

When I yarn install on our CI (GitLab CI to be specific), it doesn't seem to run the install scripts and the prebuilt library is not there, thus I cannot build.

@siebertm I know its been a long time, but I ran into the same problem, so felt I should comment.
yarn add checks if package is cached

• if yes, copies the package into node_modules
• if no, runs all scripts, caches the package, and copies the package into node_modules

yarn install checks if the package is cached.

• if yes, copies the package into node_modules
• if no, DOES NOT run scripts, caches the package, and copies the package into node_modules

I think the build is succeeding locally for you because you have a cached version with scripts run.
In CI, package isn't already cached. yarn install copies in package without running scripts.

This is what happened to me.

NOTE: The relevant issue is #1671. (It is still open. )

[terion-name]

Still a problem. postinstall scripts are not running thus breaking compatibility

[merceyz]

This was fixed back in 2016, if you're able to reproduce it now then open a new issue with steps to reproduce