UI Drafter Blog

Security
Getting rid of
NPM scripts

November 2, 2020
Eric Fortis

In 2016, Sam Saccone discovered a vulnerability that allows adversaries to run arbitrary scripts when installing an NPM package of theirs. As mitigation, NPM co-founder Laurie Voss suggests:

UI Drafter uses the latter because it avoids having to remember the flag everytime. But that option disables NPM "scripts". Therefore, we end up with two alternatives:

#!/bin/sh

case $1 in
  dev)   ./make-dev.js ;;
  test)  mocha "src/**/*.test.js" ;;
  lint)  eslint src ;;
  slint) stylelint "src/**/*.css" ;;

  prod)  time ./make-production.js ;;
  all)   $0 test && $0 lint && $0 slint && $0 prod ;;

  *)     echo "Invalid task $1" >&2; exit 1 ;;
esac

Which can be ran as:

./make test

If the package is not globally installed, prefix the path:

lint) node_modules/.bin/eslint src ;;

Overriding at installation

If you need to install packages that install binary dependencies, or rely on running an NPM script, temporarily override the mitigation:

npm install --ignore-scripts=false package-i-trust

EDIT: (Dec/27/2020) As suggested in the Hacker News thread:

Makefile

dev:
	./make-dev.js
test:
	mocha "src/**/*.test.js"
lint:
	eslint src
slint:
	stylelint "src/**/*.css"

prod:
	sh -c "time ./make-production.js"

all: test lint slint prod

.PHONY: dev test lint slint prod all
make test