Techognito/starter-kit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Run npm install with --ignore-scripts

Browse source 
https://github.com/cockpit-project/bots/blob/main/npm does that as well.
We don't expect/depend on scripts, and this closes at least one major
attack vector of `npm install` against developer machines.
This commit is contained in:
Martin Pitt 2023-03-14 09:18:50 +01:00 committed by Martin Pitt
parent 58c60f1736
commit 5fa7ae7f9c
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -204,7 +204,7 @@ $(NODE_MODULES_TEST): package.json
# if it exists already, npm install won't update it; force that so that we always get up-to-date packages # if it exists already, npm install won't update it; force that so that we always get up-to-date packages
rm -f package-lock.json rm -f package-lock.json
# unset NODE_ENV, skips devDependencies otherwise # unset NODE_ENV, skips devDependencies otherwise
env -u NODE_ENV npm install env -u NODE_ENV npm install --ignore-scripts
env -u NODE_ENV npm prune env -u NODE_ENV npm prune
.PHONY: all clean install devel-install devel-uninstall print-version dist node-cache rpm prepare-check check vm print-vm .PHONY: all clean install devel-install devel-uninstall print-version dist node-cache rpm prepare-check check vm print-vm