Gitpulse
Merged
Size
M
Change Breakdown
Security55%
Feature30%
Docs15%
#28176feat(core): Add no-forbidden-lifecycle-scripts lint rule for community nodes

Lifecycle scripts banned from community node packages

GA
garritfra
·Apr 8, 2026

A new ESLint rule blocks dangerous npm lifecycle scripts in community node packages, preventing arbitrary code execution on n8n instances during installation.

Community node packages distributed through n8n can now be installed with greater confidence. A new ESLint rule detects and flags npm lifecycle scripts — prepare, preinstall, postinstall, and their variants — that run automatically during package installation without user confirmation.

These scripts are problematic for community nodes because n8n distributes them as pre-built packages. Unlike development dependencies that need compilation steps, community nodes should already contain ready-to-use code. A lifecycle script in this context is either an author mistake or a potential supply-chain attack vector.

The rule scans package.json files for the scripts field and raises an error if any of seven forbidden lifecycle scripts are found. It's included in both the recommended and recommendedWithoutN8nCloudSupport configurations for the community nodes ESLint plugin, meaning it runs automatically during code review.

This security measure emerged from two real-world occurrences caught during code review, highlighting a genuine risk in the community node ecosystem.

View Original GitHub Description

Summary

Add a new ESLint rule no-forbidden-lifecycle-scripts to @n8n/eslint-plugin-community-nodes that bans npm lifecycle scripts in community node package.json files.

Lifecycle scripts (prepare, preinstall, install, postinstall, prepublish, preprepare, postprepare) run automatically during npm install without user confirmation. In the context of community nodes, this means arbitrary code executes on the n8n instance the moment a node is installed. Community nodes are distributed as pre-built packages, so there is no legitimate reason to hook into install-time lifecycle events.

Identified from 2 real occurrences in code review (CNOC-59, CNOC-498).

How to test

cd packages/@n8n/eslint-plugin-community-nodes
pnpm test no-forbidden-lifecycle-scripts.test.ts

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CE-736

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse