Security
Getting rid of
NPM scripts
In 2016, Sam Saccone discovered a vulnerability that allows adversaries to run arbitrary scripts when installing an NPM package of theirs. As mitigation, NPM co-founder Laurie Voss suggests:
-
Option 1: adding
--ignore-scripts
when runningnpm install
-
Option 2: permanently adding
ignore-scripts=true
to.npmrc
UI Drafter uses the latter because it avoids having to
remember the flag everytime. But that option disables NPM
"scripts"
. Therefore, we end up with two alternatives:
-
Option A: overriding:
npm run --ignore-scripts=false test
- Option B: using a shell script, or a Makefile
#!/bin/sh case $1 in dev) ./make-dev.js ;; test) mocha "src/**/*.test.js" ;; lint) eslint src ;; slint) stylelint "src/**/*.css" ;; prod) time ./make-production.js ;; all) $0 test && $0 lint && $0 slint && $0 prod ;; *) echo "Invalid task $1" >&2; exit 1 ;; esac
Which can be ran as:
./make test
If the package is not globally installed, prefix the path:
lint) node_modules/.bin/eslint src ;;
Overriding at installation
If you need to install packages that install binary dependencies, or rely on running an NPM script, temporarily override the mitigation:
npm install --ignore-scripts=false package-i-trust
EDIT: (Dec/27/2020) As suggested in the Hacker News thread:
Makefile
dev: ./make-dev.js test: mocha "src/**/*.test.js" lint: eslint src slint: stylelint "src/**/*.css" prod: sh -c "time ./make-production.js" all: test lint slint prod .PHONY: dev test lint slint prod all
make test