husky: Don't pollute enclosing project hooks

I just ran npm install on a package within my project’s node_modules. This package has husky listed as a devDependency. husky ended up writing hooks into my project’s .git/hooks, instead of the package within node_modules. Now I can’t commit code in my own project without removing the hooks / --no-verifying.

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Reactions: 7
  • Comments: 15 (4 by maintainers)

Most upvoted comments

Closing as husky 5 doesn’t automatically install hooks anymore. Unless explicitly specified in package.json > postinstall . Thanks for the feedbacks 👍

+3
typicode on Jan 7, 2021

@cdaringe What would be explicit opt-in is if the requirement was to add "postinstall": "ghooks --init" or similar to “scripts”. This is implicit, not explicit, because simply by adding a dependency, something other than installing happens.

+3
ljharb on Aug 8, 2017

I had the same problem (with ghooks). This caused git hooks I didn’t write, audit, or know about to be installed in my company’s private repo.

Automatically injecting git hooks on install (as opposed to requiring the package consumer to explicitly add a command in a postinstall script, which would be far safer) is dangerous enough - it should certainly not traverse above the folder the closest package.json (that references husky) is in under any circumstances.

+2
ljharb on Jan 11, 2017

All I know is that I’ve never done any development on video.js, they used ghooks as a dev dep, and somehow my company’s private git repo ended up with git hooks i didn’t write or audit.

I think doing anything like this automatically on install is HIGHLY dangerous. Users should have to opt-in by running an explicit command first.

+1
ljharb on Jan 12, 2017

@ericsoco next version of Husky will prevent this case. There’s already a test and code for this in master.

So, Husky won’t install git hooks if it detects that it’s in a sub-node_module directory. For example:

project$ cd node_modules/json-server
project/node_modules/json-server$ npm install

won’t install hooks in project/.git

+1
typicode on Jan 12, 2017

I was debugging a package and needed to rebuild it to pick up my changes.

My apologies, I don’t know how husky does what it does, so I don’t know if it’s feasible for it to be aware of context (installed within an npm installed package or not), but it would be great if it could be smart enough to not install hooks two levels up.

On Friday, December 4, 2015, typicode notifications@github.com wrote:

Hi @ericsoco https://github.com/ericsoco,

Not sure to understand why you want to run npm install in node_modules? But if you’re making some tests, you can run npm rm husky --save-dev to get rid of it and installed hooks.

— Reply to this email directly or view it on GitHub https://github.com/typicode/husky/issues/36#issuecomment-161933831.

ditditdit on my mobile phone

+1
ericsoco on Dec 4, 2015
Read more comments on GitHub
← husky: Does not work with Github Desktop on Windows
husky: Fatal when trying to call git from hook →