From 5fa7ae7f9c4d337d75679de6f6eb2f58816390db Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Tue, 14 Mar 2023 09:18:50 +0100
Subject: [PATCH] Run `npm install` with `--ignore-scripts`

https://github.com/cockpit-project/bots/blob/main/npm does that as well.
We don't expect/depend on scripts, and this closes at least one major
attack vector of `npm install` against developer machines.
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 6f4efb1..46b1391 100644
--- a/Makefile
+++ b/Makefile
@@ -204,7 +204,7 @@ $(NODE_MODULES_TEST): package.json
 	# if it exists already, npm install won't update it; force that so that we always get up-to-date packages
 	rm -f package-lock.json
 	# unset NODE_ENV, skips devDependencies otherwise
-	env -u NODE_ENV npm install
+	env -u NODE_ENV npm install --ignore-scripts
 	env -u NODE_ENV npm prune
 
 .PHONY: all clean install devel-install devel-uninstall print-version dist node-cache rpm prepare-check check vm print-vm