Skip to content

build: remove no-op preinstall script#1690

Open
everett1992 wants to merge 1 commit into
googleapis:mainfrom
everett1992:no-preinstall
Open

build: remove no-op preinstall script#1690
everett1992 wants to merge 1 commit into
googleapis:mainfrom
everett1992:no-preinstall

Conversation

@everett1992

Copy link
Copy Markdown

The no-op preinstall script is a security risk and will cause friction for developers using npm v12, pnpm, and other npm clients that error on packages that define install script hooks.

https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
https://pnpm.io/supply-chain-security#block-risky-postinstall-scripts

I'm calling it a security risk, not because there's a vulnerability in @google/genai's preinstall script today, but because developers may thoughtlessly and needlessly approve @google/genai which opens the door if an attacker manages to compromise this repository and publish a malicious script.

It adds friction too, when I updated by dependencies I was prompted to review and approve @google/genai's scripts. Which I denied, since it's just a no-op, but it took time out of my day. If I maintained a library I'd hesitate to production-depend on this package, or any package with a install script because I don't want my consumers to have to make the same choices.

@google-cla

google-cla Bot commented Jun 15, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

The no-op preinstall script is a security risk and will cause friction for developers using npm v12, pnpm, and other npm clients that error on packages that define install script hooks.

https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
https://pnpm.io/supply-chain-security#block-risky-postinstall-scripts

I'm calling it a security risk, not because there's a vulnerability in @google/genai's preinstall script today, but because developers may thoughtlessly and needlessly approve @google/genai which opens the door if an attacker manages to compromise this repository and publish a malicious script.

It adds friction too, when I updated by dependencies I was prompted to review and approve @google/genai's scripts. Which I denied, since it's just a no-op, but it took time out of my day. If I maintained a library I'd hesitate to production-depend on this package, or any package with a install script because I don't want my consumers to have to make the same choices.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant