I know that there has been a lot of discussions about security and vulnerabilities with allowing npm modules to execute scripts when installing. I'm looking all through the npm documentation but its not clear to me when npm will actually run a script via postinstall. Or does it not do it at all anymore?

I'm interested in publishing a module add a npm script to the project's package.json when it's installed. I tried testing it with this:

"postinstall": "npm set-script prepare node"

but when I install the module I get this:

npm ERR! Scripts can’t set from the postinstall script

But then if I try this:

"postinstall": "node -v"

I don't see the node version printed in the terminal. But I don't receive an error either. I also try this:

"postinstall": "touch testfile"

But no "testfile" is created but I also don't get any error.

Also I recently read that postinstall scripts when doing a general npm install but not when installing a specific module like npm install xyz... I'm not sure how accurate that is.

So, can someone clear this up for me? What works and what doesn't? When does postinstall execution of scripts run and when does it not?

I can certainly understand why dev's should be hesitant to allow npm to execute scripts in the background when installing dependencies. But it seems like a very crucial part of the ecosystem that some modules need to be setup when being installed. I don't know if there is any good answer.