Run npm ci --ignore-scripts in CI with an explicit allowlist #46
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#46
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
A common npm supply-chain payload is a malicious
postinstallscript that runs atnpm citime and exfiltrates secrets, scans the filesystem, or implants further malware. Disabling install scripts in CI shrinks the blast radius of a compromised dependency to packages we explicitly trust to run code at install time — typically a small handful of native-build deps.Scope
--ignore-scriptsto everynpm ciinvocation in.forgejo/workflows/pr.ymland any other workflow that installs deps (release workflow once #16 lands).better-sqlite3,argon2,esbuild, possibly Sharp once we touch image handling. Confirm the list against the currentpackage.jsonrather than guessing.npm's built-in--foreground-scriptsplus a small wrapper that runsnpm rebuild <allowlisted-pkg>after the no-scripts install,@lavamoat/allow-scriptsworkflow (separate config file,allow-scriptsruns the whitelisted ones).Pick whichever fits cleanly; document the choice.
Acceptance criteria
grepover the workflows..npmrc/package.jsonconfig / a config file for the chosen tool).npm test(the existing dual-engine matrix) still passes, confirmingbetter-sqlite3/argon2/ similar native deps still build.Part of epic #2.
npm ci#69