The default install process should stop and prompt you with something like:
Package ua-parser-js wants to run a script before installing.
The description of the package is:
"Detect Browser, Engine, and Device type/model from User-Agent data."
The reason for the pre-install script is:
"Configuring the local user agent thing for reasons."
This script has been unchanged since version 0.7.29 which was published:
14 hours ago
The hash of the script is:
0123456789abcdef
Press Y to examine the script, or N to cancel installation.
After npm echoes out the script, the user should decide whether it looks obfuscated or does anything suspicious. If the user is still unsure, they can search the web for the hash of the script to see if other people have audited it.
For automated installs, such as a CI server, there would need to be a command line argument or config file entry with something like:
For automated installs, such as a CI server, there would need to be a command line argument or config file entry with something like: