Add NPM / PNPM

[fproulx-boostsecurity]

Several npm commands (except npm ci) will consume package.json

So typically npm install (unless with --ignore-scripts or .npmrc with ignore-scripts=true) will run preinstall, install, postinstall, preprepare, prepare, postprepare

Those are effectively documented in the "Life Cycle Operation Order" https://docs.npmjs.com/cli/v10/using-npm/scripts#life-cycle-operation-order

The following npm commands will explicitely execute scripts, despite it being disabled, some are less obvious that could be hooked:

npm diff (prepare)
npm version (preversion, version, postversion)
npm run ...
npm start (defaults to node server.js)
npm stop
npm restart
npm test
npm run-script

.npmrc can be in the CWD and can override standard NPM registry like

registry=https://registry.notnpmjs.org

Using .npmrc will help with scenario with npm install -g something as this would not care about package.json. A mitigation could be adding --ignore-scripts or specifying the registry with --registry=

What about node_modules or NODE_PATH