Vue-cli: Check for a post-process script

Created on 13 Sep 2016 · 10Comments · Source: vuejs/vue-cli

As discussed outside of this issue, a post-process script could be useful to fix style issues with eslint --fix and perhaps do other things in the future. We could also use this script to do an initial npm install for users. Here's how it might be implemented:

Directly after template files are generated, check for a post-process.js file in a template. (Not sure what the exact name or format should be.)
If it exists, run the script with the project root as the working directory.

(cc @LinusBorg, who started the discussion resulting in this issue)

discussion feature

Source

chrisvfritz

All 10 comments

Thanks for opening the issue!

I certainly like this idea. the npm install hook could be a standard,

One thing to keep in mind is that this should be somehow "sandboxed". I feel uncomfortable with the thought of vue-cli running arbitrary command-line stuff someone might have added to his/her custom template. If there's some malicious stuff (or sloppy errors), this can potentially damage the user's setup/file-system.

LinusBorg on 13 Sep 2016

👍1

We can start by just running eslint --fix on vue-cli
What kind of post processing are you thinking about? (Apart from eslint)

posva on 13 Sep 2016

@LinusBorg I'm not sure the npm install hook should be built-in, because the CLI could be used to generate templates that aren't managed by NPM (and actually, our simple template is one of them). There could also be templates with a frontend and backend folder for example, that each have their own package.json in place of one in the root.

As for sandboxing, I had that thought as well, but it'd also be easy to sneak something into a build script, postinstall script, etc - so even now, people only want to install templates from trusted sources.

@posva I don't think it's feasible to just always run eslint --fix, as many templates won't have ESLint installed. I think it'd be simpler to just not make assumptions about templates and have them take care of what they need.

chrisvfritz on 13 Sep 2016

because the CLI could be used to generate templates that aren't managed by NPM

Oh, right, of course.

As for sandboxing, I had that thought as well, but it'd also be easy to sneak something into a build script, postinstall script, etc - so even now, people only want to install templates from trusted sources.

I thought like this as well at first, but to me, the CLI running something immediatly after init has a different quality than a malicious npm script which I, the user, can analyse in my (CLI-generated) project files before I actually run it.

If we allow vue-cli to run "arbitrary" commands, we would expect users to first analyse the templates repo (at least meta.json if we would store the commands there) before they install it.
If we don't allow such commands, the user can install a project without any risks and then have a thorough look at the files, commands etc before he runs npm install

Does that make sense?

LinusBorg on 13 Sep 2016

@chrisvfritz I was actually thinking about vue-cli running eslint. It may also run other commands in the future.
I'm talking about this because we may not need anything complicated yet. Maybe no other need appears in the future. Also, I think it's a good idea to let the cli decide what executables can be called and what options can or cannot be passed

posva on 14 Sep 2016

@LinusBorg Well to be totally safe right now, one would have to not only read the source after generating files, but before installing, they'd have to also read the source of every dependency and even nested sub-dependency (I believe the Webpack template has over 1000!). If someone really had malicious intentions, it'd be extremely easy to sneak something in.

So I feel like setting up some fancy sandboxing or command whitelisting might provide the illusion of greater security by eliminating one of the more obvious attack vectors, but it wouldn't actually make users safer. 😕 And by including such security features, we might even be making users _less_ safe, as the false sense of security might make them feel like they can use any template they want, without first considering where it came from.

@posva I'm a bit worried about coupling the CLI tool to specific template implementations. Some might want to add JSHint, HTMLLint, Stylelint, etc and then we'd have set a precedent for adding all these integrations within vue-cli. Then on the template maintainer side, people would have to open issues/PRs on whenever they wanted to do some post-processing we didn't allow yet.

By keeping things simple with the post-generate script, we're not closing off any future, as-yet-unforeseen possibilities and we won't have to do a lot of maintenance on this feature, because sufficient power is given to template authors to do whatever they'd like.

chrisvfritz on 15 Sep 2016

👍1

@chrisvfritz Ok, you have me convinced. :)

LinusBorg on 15 Sep 2016

👍1

@chrisvfritz But doesn't that mean that template authors can create unsafe post-generate scripts?

posva on 15 Sep 2016

@posva Yeah, but since they can already generate unsafe templates in general (see the explanation to Linus), users won't be any less safe than they used to be. Installing a template from someone simply requires some trust. Does that make sense?

chrisvfritz on 15 Sep 2016

Okay, I didn't understand that at the beginning.
You convinced me too 👌

On Thu, 15 Sep 2016, 15:22 Chris Fritz, [email protected] wrote:

@posva https://github.com/posva Yeah, but since they can already
generate unsafe templates in general (see the explanation to Linus), users
won't be any less safe than they used to be. Installing a template from
someone simply requires some trust. Does that make sense?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/vuejs/vue-cli/issues/168#issuecomment-247326293, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAoicX_cXUfKvTIqF6z3mehd8sSUaY04ks5qqUacgaJpZM4J7IGh
.