The fact that any dependency can run a postinstall script is a supply chain attack risk!<p>I believe package managers (npm, pnpm, yarn ..) need to account for a `allowList`-like implementation to give more granularity to what dependency can run a postinstall, as opposed to the all-in or not `--ignore-scripts` option.<p>It can be made backward-compatible, where it's allowed by default if there's no allowList, else, only the allowed deps if present.<p>An empty array would be equivalant to `--ignore-scripts` by default.<p>Orgs/teams can define their own allowList and have it enforced as a policy or a recommendation.<p>I know this is not enough to fully mitigate suply chain attacks, but it'd be a postive step forward.<p>I'm not sure where to post such a proposal? npm ?