UI Drafter

Security
Enable NPM’s ignore‑scripts

by Eric Fortis

In 2016 Sam Saccone discovered a vulnerability that allows adversaries to run arbitrary scripts when installing an NPM package of theirs. As mitigation, NPM co‑founder Laurie Voss suggests:

  • Option 1: using npm install --ignore-scripts
  • Option 2: adding ignore-scripts=true to .npmrc

UI Drafter uses the latter because it avoids having to remember the flag everytime.

Edit

After NPM v7 the following is no longer true. Now, ignore‑scripts only prevents running pre and post scripts. At any rate, you can still use a shell script as discussed below if it’s convenient to you (runs faster).

But that option disables NPM scripts. Therefore, we end up with two alternatives:

  • Option A: overriding: npm run --ignore‑scripts=false test
  • Option B: using a shell script as follows, or a Makefile
#!/bin/sh

case $1 in
  dev)    ./make-dev.js ;;
  test)   mocha "src/**/*.test.js" ;;
  lint)   eslint src ;;
  slint)  stylelint "src/**/*.css" ;;

  prod)   time ./make-production.js ;;
  all)    $0 test && $0 lint && $0 slint && $0 prod ;;

  *)      echo "Invalid task $1" >&2; exit 1 ;;
esac

Which can be ran as:

$ ./make test

If the package is not globally installed, prefix the path:

lint) node_modules/.bin/eslint src ;;

Overriding at installation

If you need packages that install binaries, or rely on running an NPM script, temporarily override the mitigation:

$ npm install --ignore-scripts=false package-i-trust

Overriding a project

If you can’t follow the above recommendations for certain project, instead of allowing scripts globally, create an .npmrc file next to the package.json with the following line:

ignore-scripts=false

Makefile

An alternative suggested in the Hacker News thread:

dev:
	./make-dev.js
test:
	mocha "src/**/*.test.js"
lint:
	eslint src
slint:
	stylelint "src/**/*.css"

prod:
	sh -c "time ./make-production.js"

all: test lint slint prod

.PHONY: test lint slint prod all
$ make test

Sponsored by: