Skip to content

Disable npm scripts #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
allanbowe merged 2 commits into from
Dec 9, 2025
Merged

Disable npm scripts #409

allanbowe merged 2 commits into from
Dec 9, 2025

Conversation

@mulahasanovic
Copy link
Contributor

@mulahasanovic mulahasanovic commented Dec 9, 2025
edited
Loading

Issue

Post‑install (and other lifecycle) scripts are a top supply‑chain attack vector (Shai‑Hulud, Nx, event‑stream). Any dependency or transitive dependency can execute arbitrary code at install time.

Intent

npm hardening - disable all lifecycle scripts globally.

Implementation

Update .npmrc, set ignore-scripts to true.

npm config set ignore-scripts true

Checks

  • Code is formatted correctly (sasjs lint).
  • Any new functionality has been unit tested.
  • All unit tests are passing (sasjs test).
  • The PR desc or underlying commits follow the Conventional Commit standard

@allanbowe allanbowe merged commit db15c66 into main Dec 9, 2025
1 of 2 checks passed
@allanbowe allanbowe deleted the build/disable-npm-scripts branch December 9, 2025 16:10
@github-actions
Copy link

github-actions bot commented Dec 16, 2025

🎉 This PR is included in version 4.59.10 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mulahasanovic @allanbowe