I was looking at using the new workspaces feature of Npm v7.
I followed the instructions and ran:
npm init -w ui but the CLI looked nothing like what I expected.
Turns out, I didn’t realized I was running with
npm init has a “feature” where it automatically uses the first argument to
npm init and basically reinterprets the command as
-w argument doesn’t count as a normal argument, so
npm skips it, and, in my case, it runs
npx create-ui instead.
create-ui is a real package.
create-ui is a non-malicious package. But it could have been easy for me to unwittingly use an Npm 6 command with a flag from Npm 7 that, because of lax cli argument rules, runs unexpected code. I would have expected at least some sort of "unknown option
-w" and an error instead of just blindly trying to run something if it were there.
I wanted to report this issue somewhere. This seemed like the place to do it. However, I’m not sure if there is anything to be done here. If a check for
-w were added to Npm@6, that could break existing scripts. Maybe some sort of guarantee that
create-* scripts are somewhat vetted?