feat(pnpm): block untrusted package postinstall scripts by default

Author: GiladShoham

scopes/dependencies/pnpm/lynx.ts

@@ -40,6 +40,13 @@ import { isEqual } from 'lodash';
 import { pnpmErrorToBitError } from './pnpm-error-to-bit-error';
 import { readConfig } from './read-config';
 
+/**
+ * Packages that are known to have risky or unnecessary build scripts.
+ * These packages will be disallowed from running scripts by default,
+ * unless the user explicitly allows them in `allowScripts`.
+ */
+const UNTRUSTED_PACKAGE_NAMES = ['es5-ext', 'less', 'protobufjs', 'ssh', 'core-js-pure', 'core-js'];
+
 const installsRunning: Record<string, Promise<any>> = {};
 const cafsLocker = new Map<string, number>();
 
@@ -425,6 +432,12 @@ function resolveScriptPolicies({
         onlyBuiltDependencies.push(trustedPkgName);
       }
     }
+    // Add untrusted packages to ignoredBuiltDependencies unless the user explicitly allows them
+    for (const untrustedPkgName of UNTRUSTED_PACKAGE_NAMES) {
+      if (allowScripts?.[untrustedPkgName] !== true) {
+        ignoredBuiltDependencies.push(untrustedPkgName);
+      }
+    }
   }
 
   return { neverBuiltDependencies: resolvedNeverBuilt, onlyBuiltDependencies, ignoredBuiltDependencies };