After watching Patrick Debois' talk from DeliveryConf »How Secure Is Your Build / Server?«, I tried to get at least a rough idea if postinstall
steps where running at all and if they do the same things after a package update.
So I wrote a little proof of concept that will:
- Create a Dockerfile, using
package.json
andpackage-lock.json
from a Node.js project in the current directory - Install all its dependencies inside the Docker container first, without running any
postinstall
steps, then do the same with running the scripts. - Reading the diff of those steps using Docker's image layers
- And calculate a checksum of those changes.
So when you update any dependencies and run the script again, you should be able to tell if something inside the postinstall
step changed and dig deeper into the issue.
- Node.js
- Docker on Linux (Docker for Mac/Windows doesn't expose
/var/lib/docker/overlay2
)