Node.js: Create checksums for npm's 'postinstall' actions
After watching Patrick Debois' talk from DeliveryConf »How Secure Is Your Build / Server?«, I tried to get at least a rough idea if
postinstall steps where running at all and if they do the same things after a package update.
So I wrote a little proof of concept that will:
- Create a Dockerfile, using
package-lock.jsonfrom a Node.js project in the current directory
- Install all its dependencies inside the Docker container first, without running any
postinstallsteps, then do the same with running the scripts.
- Reading the diff of those steps using Docker's image layers
- And calculate a checksum of those changes.