In that case (i.e., "npm test") the user is explicitly invoking the script. If we are talking about hooks that run automatically on "cordova plugin add", then it is implicit. How about if the cli prompted the user when a hook request is present such as "plugin foobar wants to run the script xyz. Do you grant permission for it to do so?" Perhaps plugman could have an --accept-scripts parm that granted permission to all such requests to prevent prompting?
On Mar 3, 2014, at 2:11 PM, Parashuram Narasimhan (MS OPEN TECH) <panar...@microsoft.com> wrote: > Note that this is very similar to npm. My guess is that security story would > be the same.
