#13169: security: add --ignore-scripts to npm install during plugin/hook installation
docs
channel: matrix
gateway
stale
Cluster:
Plugin Management Enhancements
## Summary
- Add `--ignore-scripts` to all `npm install` invocations during plugin, hook pack, and extension dependency installation
- Update security docs (EN + zh-CN) to reflect that lifecycle scripts are now blocked by default
## Problem
When installing plugins or hook packs with npm dependencies, `npm install` runs without `--ignore-scripts`. This means a malicious package's `postinstall` (or `preinstall`, `install`) lifecycle scripts execute arbitrary code on the host machine *before* any code safety review.
## Fix
Added `--ignore-scripts` to the npm install argument array in all three locations:
1. `src/plugins/install.ts` — plugin dependency installation
2. `src/hooks/install.ts` — hook pack dependency installation
3. `extensions/matrix/src/matrix/deps.ts` — Matrix extension on-demand dependency installation
Also updated the security documentation in both English and Chinese to reflect that npm lifecycle scripts are now blocked by default.
## Files Changed
- `src/plugins/install.ts` — Added `--ignore-scripts` flag
- `src/hooks/install.ts` — Added `--ignore-scripts` flag
- `extensions/matrix/src/matrix/deps.ts` — Added `--ignore-scripts` flag
- `docs/gateway/security/index.md` — Updated docs
- `docs/zh-CN/gateway/security/index.md` — Updated Chinese docs
## Test plan
- [x] TypeScript compiles cleanly (no new errors)
- [x] Lint passes
- [x] No test changes needed — existing plugin/hook install tests don't exercise the npm install path (test plugins have no `dependencies`)
- [x] Legitimate plugins should not rely on `postinstall` scripts; if a native addon needs compilation, users can manually run `npm rebuild`
Closes #13132
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR hardens dependency installation paths by adding `--ignore-scripts` to `npm install` when installing plugin dependencies (`src/plugins/install.ts`), hook pack dependencies (`src/hooks/install.ts`), and Matrix extension on-demand deps (`extensions/matrix/src/matrix/deps.ts`). It also updates the Gateway security documentation (EN + zh-CN) to reflect that npm lifecycle scripts are now blocked by default during these installs.
<h3>Confidence Score: 4/5</h3>
- Mostly safe to merge, but one security hardening gap remains for pnpm installs in the Matrix extension path.
- The npm install paths are consistently updated to block lifecycle scripts, aligning with the stated security goal. However, the Matrix dependency installer still runs `pnpm install` without an ignore-scripts equivalent when a pnpm lockfile is present, leaving an execution path for lifecycle scripts in that environment.
- extensions/matrix/src/matrix/deps.ts
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#11432: fix(security): add --ignore-scripts to npm install in hook and plug...
by coygeek · 2026-02-07
87.8%
#8073: fix(plugins): add --ignore-scripts to npm install
by yubrew · 2026-02-03
84.7%
#14112: test(security): harden plugin install against script execution
by davidahmann · 2026-02-11
81.0%
#8600: fix(update): add --ignore-scripts to prevent supply chain attacks
by yubrew · 2026-02-04
80.8%
#21964: Security: harden gateway and plugin trust boundaries
by Elormyevu · 2026-02-20
80.6%
#8075: fix(skills): add --ignore-scripts to all package managers
by yubrew · 2026-02-03
79.0%
#11032: fix(security): block plugin install/load on critical source scan fi...
by coygeek · 2026-02-07
79.0%
#6405: feat(security): Add HTTP API security hooks for plugin scanning
by masterfung · 2026-02-01
77.7%
#23574: security: P0 critical remediation — plugin sandbox, password hashin...
by lumeleopard001 · 2026-02-22
77.6%
#20424: Fix plugin extension path traversal in discovery/install
by markmusson · 2026-02-18
77.4%