Skip to content

Published package ships dev/build lifecycle scripts (no-op preinstall runs on every consumer install) #1701

Description

@nertzy

Summary

The published @google/genai package (currently 1.52.0) carries the project's full development/build scripts block in its package.json. Several of these are lifecycle hooks that npm executes (or references) on the consumer side, even though they do nothing useful outside the SDK's own build:

"scripts": {
  "preinstall": "echo 'preinstall: no-op'",
  "prepare": "node scripts/prepare.js",
  "prepack": "echo 'prepack: no-op'",
  "postpack": "echo 'postpack: no-op'",
  "prebuild": "echo 'prebuild: no-op'",
  "prebuild-prod": "echo 'prebuild-prod: no-op'",
  // ...
}

Why it matters

  • preinstall runs on every consumer install. Because it's a real lifecycle hook, any project that depends on @google/genai executes echo 'preinstall: no-op' on npm install. It does nothing, but it trips supply-chain tooling that gates install scripts — npm allow-scripts wrappers, pnpm's onlyBuiltDependencies, Bun's trusted-dependencies prompt, etc. Each downstream consumer is forced to explicitly allow-list an install script that has no effect, which erodes the signal those gates are meant to provide.
  • prepare points at a file that isn't in the tarball. The files allowlist ships only dist/ (+ a couple of package.json shims), so scripts/prepare.js is excluded from the published artifact. prepare doesn't run on a registry install, but it does run on a git-dependency install (npm i googleapis/js-genai#...), where it would fail because scripts/ is absent.

These are artifacts of the internal build manifest leaking into the published one — the registry artifact only needs the runtime dist/ output, not the build/test/lint/docs scripts.

Observed output

Under an install-script gate (here, an allow-scripts wrapper over npm), @google/genai's preinstall must be explicitly approved despite being a no-op:

npm warn allow-scripts install scripts not yet covered by allowScripts:
npm warn allow-scripts   @google/genai@1.52.0 (preinstall: echo 'preinstall: no-op')
npm warn allow-scripts
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.

Suggested fix

Strip dev/build lifecycle scripts from the published manifest while keeping them in the source repo. Common approaches:

  • A publish-time package.json rewrite (e.g. clean-publish) that drops scripts (or all but a curated allowlist).
  • Move anything consumers genuinely need into publishConfig, and keep dev scripts out of the published file.

At minimum, removing the no-op preinstall would stop the needless install-time execution on every downstream project.

Environment

  • @google/genai 1.52.0 (observed from the published npm tarball)
  • Reproducible on any platform — npm install @google/genai with an install-script gate enabled will flag preinstall.

Metadata

Metadata

Assignees

Labels

priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions