#11432: fix(security): add --ignore-scripts to npm install in hook and plugin installers
stale
Cluster:
Plugin Management Enhancements
## Fix Summary
Add `--ignore-scripts` to all `npm install` invocations in hook and plugin install flows to prevent execution of untrusted lifecycle scripts (`preinstall`, `install`, `postinstall`) from packages and their transitive dependencies.
**Files changed:**
- `src/hooks/install.ts` — added `--ignore-scripts` to npm install args
- `src/plugins/install.ts` — added `--ignore-scripts` to npm install args
## Issue Linkage
Fixes #11431
## Security Snapshot
| Metric | Value |
|--------|-------|
| **Score** | 9.6 / 10.0 |
| **Severity** | Critical |
| **Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
## Implementation Details
### Files Changed
- `src/hooks/install.ts` (+1/-1)
- `src/plugins/install.ts` (+1/-1)
### Technical Analysis
Add `--ignore-scripts` to all `npm install` invocations in hook and plugin install flows to prevent execution of untrusted lifecycle scripts (`preinstall`, `install`, `postinstall`) from packages and their transitive dependencies.
## Validation Evidence
- Command: `--ignore-scripts`
- Status: failed
## Risk and Compatibility
non-breaking; compatibility impact was not explicitly documented in the original PR body.
## AI-Assisted Disclosure
- AI-assisted: yes
- Model: Claude Code
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR adds `--ignore-scripts` to the `npm install` commands used during hook-pack and plugin dependency installation (`src/hooks/install.ts` and `src/plugins/install.ts`). This prevents untrusted lifecycle scripts (e.g., `preinstall`/`postinstall`) from executing when installing third-party hook/plugin dependencies, reducing RCE risk during these install flows.
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk.
- The change is narrowly scoped to appending `--ignore-scripts` to existing `npm install` invocations in two installer flows. It does not alter control flow or data handling beyond disabling lifecycle scripts, and there are no other `npm install` call sites in `src/` using the same helper that appear to be missed.
- No files require special attention
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#13169: security: add --ignore-scripts to npm install during plugin/hook in...
by RamiNoodle733 · 2026-02-10
87.8%
#8073: fix(plugins): add --ignore-scripts to npm install
by yubrew · 2026-02-03
86.8%
#8600: fix(update): add --ignore-scripts to prevent supply chain attacks
by yubrew · 2026-02-04
83.5%
#8075: fix(skills): add --ignore-scripts to all package managers
by yubrew · 2026-02-03
82.3%
#11032: fix(security): block plugin install/load on critical source scan fi...
by coygeek · 2026-02-07
80.5%
#22425: chore: make prepare git hooks setup cross-platform
by OldFineDev · 2026-02-21
78.9%
#14112: test(security): harden plugin install against script execution
by davidahmann · 2026-02-11
78.1%
#11817: fix(build): compile bundled hook handlers into dist
by AnonO6 · 2026-02-08
76.9%
#19021: fix(hooks): reject path traversal in hook pack manifest entries dur...
by moxunjinmu · 2026-02-17
76.9%
#3006: fix(scripts): use local pnpm binary in run-node.mjs if global is mi...
by elliotsecops · 2026-01-27
76.7%