DEV Community

official_dulin
official_dulin

Posted on

How to prevent other team member installing new npm package?

#npm #programming #discuss #node

Requirements:

  • Only the project owner can install new npm package.
  • npm install should work for local development and CI/CD pipeline.
  • When other team member run npm install <PackageName> command, it should print an error message like: "Installing new npm package is prevent, please contact the project owner."

Motivation: I don't want other team member install package at will. I want to limit this behavior through code or script.

This is an optional-based question, Thanks for any advice.

Top comments (6)

Collapse
 
lexlohr profile image
Alex Lohr

I believe you should focus on your repository and process (code review) in order to allow your team to earn your trust instead of preventing them from explorative use of external packages. Without trust, a team will never work smoothly, because everyone is watching their back. Also, document the handling of external packages in the README so that everyone can get the rationale behind it.

Collapse
 
tinkermakar profile image
Makar

You can

  1. Restrict pushing to main branches directly, only pull requests are allowed
  2. Draft a GitHub Actions script to compare the verify package.json's hash matches a predefined hash (i.e. the file is the same as before)
  3. Make that GitHub action mandatory to merge any PR
Collapse
 
uzair004 profile image
Muhammad Uzair

You probably need to find a way to restrict write access to package.json file,

This Stack overflow question can be helpful

Collapse
 
wxifu profile image
Luna

Came across on old yarn issue that gave the following solution:

  "engines": {
    "npm": "anythingthatisntavalidversion",
    "yarn": "anythingthatisntavalidversion"
  }
Enter fullscreen mode Exit fullscreen mode

within your package.json and

engine-strict = true
Enter fullscreen mode Exit fullscreen mode

in a file called .npmrc

Collapse
 
wxifu profile image
Luna

This only prevents the use though and doesn't return a reply like the example you gave

Collapse
 
jasoncubic profile image
JasonCubic

Build a ci step in GitHub actions to error out when a dependency is added. Have it run on all PR's.

Read next

akshat0610 profile image

Day 3 of 30 of JavaScript

Akshat Sharma -

annoh_karlgusta profile image

The One Thing Nobody Seems To Be Talking About

Karl Esi -

anogneva profile image

21 bugs in 21st version of Apache NetBeans

Anastasiia Ogneva -

hirelaraveldevelopers profile image

Why Magento is the #1 Choice of eCommerce Startups?

Hire Laravel Developers -