June 22, 2026
Install drama before install scripts
Package Managers need global hooks
Coders want one master safety switch, but the comments say it could open a whole new mess
TLDR: A developer wants every package manager to add one global safety-check system to catch bad software before it installs. Commenters were split between “finally, useful protection” and “great, now you’ve invented antivirus and maybe a new malware hole too,” making the backlash almost bigger than the proposal itself.
A developer tossed out a big idea: every app installer should have a global safety check built in, so people can block shady downloads before they land. The pitch is simple in human terms: instead of relying on clunky workarounds, company-only tools, or sketchy command-line tricks, your package manager — the tool that installs software libraries — should let you set one system-wide rulebook. In theory, that could help stop the next supply-chain disaster before it spreads.
But the comments? Absolute food fight. One camp basically yelled, “So... we’re reinventing antivirus from 2004 now?” with critics warning that bad actors can just change their malware enough to dodge detection. Another crowd went even harder, saying the proposed fix could become its own attack route, which is the kind of irony commenters live for. Meanwhile, others said the real villain isn’t all package managers — it’s mostly the wild-west culture around JavaScript installers, where packages can secretly run code during install. That sparked the classic internet split: is this a universal safety upgrade, or just a bandage for one ecosystem’s chaos?
There was also some nerdy side-eye over whether this is even new, with commenters pointing out that old-school system package tools already have hooks. Translation: the thread quickly turned from “great idea” to “did you just rediscover something half the internet already has?” And that, honestly, is where the real entertainment began.
Key Points
- •The article proposes that package managers add support for globally configured hooks that run before stages in the package-management workflow.
- •It describes current defensive measures in package ecosystems, including dependency cooldowns, dependency policies, and Homebrew’s one-day cooldown for Python and NPM package bumps.
- •The article outlines three existing package-management security approaches from vendors: registry proxying, shell wrappers, and HTTPS proxy/MITM inspection.
- •A proof of concept combined StepSecurity OSS Feed with pnpm hooks to block malicious package installs based on threat-feed checks.
- •The author says pnpm lacks global hook support, NPM does not support hooks, and Yarn’s global hook configurability is unclear; the article also points to possible hook use in AUR helpers and yay’s UpgradeSelect event.