Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

A vulnerable version of rspack was just published, which had a malicious postinstall script. Add new configuration values that would project against this without creating too much frustration for users. Most people don't want to disable postinstall scripts because some libraries expect them to be used. However, most use cases for postinstall scripts are for a small set of known libraries or for the user's own project rather than for dependencies

Describe the solution you'd like

enable-pre-post-scripts could have a value such as 'project', which would run only the project's preinstall and postinstall scripts and not those of any dependencies

Additionally, enable-pre-post-scripts could accept an array of whitelisted dependencies that would be allowed to run preinstall and postinstall scripts

Describe the drawbacks of your solution

There are few downsides to introducing a new option. If one of these options were made the default that would introduce friction for some users, but I believe the ecosystem would be made better off and that trade-off may be worth it

Describe alternatives you've considered

Only do JavaScript development inside VMs or containers. Realistically, most users aren't going to do this.