Skip to content

Add .npmrc with security hardening settings#51

Open
danmcc-admin wants to merge 1 commit into
mainfrom
security/add-npmrc
Open

Add .npmrc with security hardening settings#51
danmcc-admin wants to merge 1 commit into
mainfrom
security/add-npmrc

Conversation

@danmcc-admin

Copy link
Copy Markdown

Summary

  • Adds .npmrc with ignore-scripts=true and save-exact=true
  • ignore-scripts=true prevents arbitrary code execution during npm install (supply chain defense)
  • save-exact=true pins exact dependency versions for reproducible builds

If a package requires install scripts

Add a per-package allowlist in .npmrc:

lifecycle-script-allowed[]=sharp
lifecycle-script-allowed[]=esbuild

Or run one-off with:

npm install --ignore-scripts=false <package-name>

Context

Part of an org-wide security hardening initiative for all npm-based repositories.

Security hardening: ignore-scripts prevents malicious install scripts
from running during npm install, and save-exact pins dependency versions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 10, 2026 01:47
@danmcc-admin danmcc-admin requested a review from a team as a code owner June 10, 2026 01:47

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds repository-level npm configuration intended to harden installs by disabling lifecycle scripts and enforcing exact version pinning for dependencies.

Changes:

  • Introduces .npmrc with ignore-scripts=true to prevent running install/postinstall scripts during npm install/npm ci.
  • Enables save-exact=true so newly added dependencies are saved with exact versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .npmrc
Comment on lines +1 to +2
ignore-scripts=true
save-exact=true

@constructor-claude-bedrock constructor-claude-bedrock Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This PR adds a .npmrc file with ignore-scripts=true and save-exact=true as a security hardening measure, but the ignore-scripts=true setting will break the installation of 6 packages in the dependency tree that rely on lifecycle scripts (esbuild, @tailwindcss/oxide, @parcel/watcher, fsevents, playwright/fsevents, unrs-resolver).

Inline comments: 3 discussions added

Overall Assessment: ⚠️ Needs Work

Comment thread .npmrc
@@ -0,0 +1,2 @@
ignore-scripts=true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Issue: ignore-scripts=true will break installation of 6 packages in the current dependency tree that rely on lifecycle scripts to function. The package-lock.json shows the following packages have hasInstallScript: true:

  • node_modules/esbuild — downloads the platform-specific binary via its install script (required by Vite)
  • node_modules/@tailwindcss/oxide — native Rust binary installed via napi-postinstall
  • node_modules/@parcel/watcher — native file-watching binary
  • node_modules/unrs-resolver — native resolver binary
  • node_modules/fsevents (×2) — macOS native file system events

With this setting, npm install will silently skip these scripts and the packages will be partially installed, causing build/test failures (e.g., vite and tailwindcss will fail to start because their native binaries are missing).

The .npmrc allowlist syntax shown in the PR description (lifecycle-script-allowed[]=esbuild) is not a real npm feature — npm has no such option. The correct mitigation is either:

  1. Remove ignore-scripts=true and rely on npm audit / a tool like Diffend (which the repo already uses via run-diffend.yml) for supply chain defense, or
  2. Use npm install --ignore-scripts only in specific CI steps that don't need native binaries, and document exactly which steps those are.

Comment thread .npmrc
@@ -0,0 +1,2 @@
ignore-scripts=true
save-exact=true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important Issue: save-exact=true pins the version written into package.json when running npm install <package>, but it has no effect on the existing package.json entries which already use range specifiers (e.g., "^7.1.12"). The existing ranges will still be resolved to the latest matching version unless the developer also updates all existing package.json entries to exact versions. Since package-lock.json already provides reproducibility for all collaborators and CI, the practical benefit here is marginal and only applies to future npm install <pkg> invocations. Consider whether this aligns with the team's actual versioning workflow, or whether tightening package.json ranges directly would be more effective.

Comment thread .npmrc
@@ -0,0 +1,2 @@
ignore-scripts=true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important Issue: The CI workflows (run-tests.yml, run-lint.yml) use npm install (not npm ci), which means they will be affected by this .npmrc setting immediately. With ignore-scripts=true active, the npm install step in those workflows will install broken packages and the subsequent build/test steps will fail. The workflows that already use npm ci (check-types.yml, deploy-storybook.yml, publish.yml, react-compat.yml) are equally affected. This is a blocking change for all CI pipelines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants