Hey! Nice work, gale is really fast and working well in my monorepo in early tests.
Can you include the binaries with the package?
This step to build the binary is a real drag. We don't use Node, and I don't want to run postinstall or include Node in my runners.
postinstall is one of the big npm supply-chain attack vectors.
It is dangerous because it runs code automatically during dependency installation, often in CI where tokens, cloud credentials, npm auth, GitHub Actions env vars, and source code are present. A compromised package can use postinstall to exfiltrate secrets, download another payload, alter files, or install a malicious binary before your actual build/test commands run.
For Gale specifically, the risk is not just “runs a script.” It is:
"postinstall": "node install.js"
and that script downloads an executable from GitHub releases. The lockfile integrity protects the npm tarball, but it does not fully protect the binary fetched later over the network by the install script.
That is exactly why Bun blocks untrusted lifecycle scripts by default. Trusting Gale would make installation work, but it means accepting that package’s installer and release-hosted binary as part of your trusted build chain.
Excited to keep this in our toolchain and see it become a real alternative to stylelint.
Thanks again!
Hey! Nice work, gale is really fast and working well in my monorepo in early tests.
Can you include the binaries with the package?
This step to build the binary is a real drag. We don't use Node, and I don't want to run
postinstallor include Node in my runners.postinstallis one of the big npm supply-chain attack vectors.It is dangerous because it runs code automatically during dependency installation, often in CI where tokens, cloud credentials, npm auth, GitHub Actions env vars, and source code are present. A compromised package can use
postinstallto exfiltrate secrets, download another payload, alter files, or install a malicious binary before your actual build/test commands run.For Gale specifically, the risk is not just “runs a script.” It is:
and that script downloads an executable from GitHub releases. The lockfile integrity protects the npm tarball, but it does not fully protect the binary fetched later over the network by the install script.
That is exactly why Bun blocks untrusted lifecycle scripts by default. Trusting Gale would make installation work, but it means accepting that package’s installer and release-hosted binary as part of your trusted build chain.
Excited to keep this in our toolchain and see it become a real alternative to stylelint.
Thanks again!