Dangerous cli meaning changes from Npm 6 to 7

I was looking at using the new workspaces feature of Npm v7.

I followed the instructions and ran: npm init -w ui but the CLI looked nothing like what I expected.

Turns out, I didn’t realized I was running with npm@v6. npm init has a “feature” where it automatically uses the first argument to npm init and basically reinterprets the command as npx create-<first_arg>.

Well, the -w argument doesn’t count as a normal argument, so npm skips it, and, in my case, it runs npx create-ui instead. create-ui is a real package.

Fortunately, create-ui is a non-malicious package. But it could have been easy for me to unwittingly use an Npm 6 command with a flag from Npm 7 that, because of lax cli argument rules, runs unexpected code. I would have expected at least some sort of "unknown option -w" and an error instead of just blindly trying to run something if it were there.

I wanted to report this issue somewhere. This seemed like the place to do it. However, I’m not sure if there is anything to be done here. If a check for -w were added to Npm@6, that could break existing scripts. Maybe some sort of guarantee that create-* scripts are somewhat vetted?

I think that submitting a bug or posting in the Feedback channel of the npm community would be a more appropriate location.