Skip to content

Commit d48a80c

Browse files
fix(security): prepare for npm v12 breaking changes (#1072)
* chore(ci): bump e2e workflow Node to 24.12.0 and track NODE_VERSION via Renovate Node 20 is EOL and will be unsupported by npm 12. Adds a Renovate custom manager so all workflow NODE_VERSION pins receive update PRs. * fix(security): disable dependency install scripts for all npm installs Adopts npm v12's secure default today: every npm ci/install call site (CI workflows, Dockerfile, Makefile, scripts, package.json pre-hooks) now passes --ignore-scripts, and unrs-resolver's postinstall is explicitly denied via allowScripts (it ships prebuilt binaries; the script is only a fallback build). Verified: clean installs, frontend build, type-check, and full unit suite all pass with scripts disabled. --------- Co-authored-by: GitHub Actions <actions@github.com>
1 parent 93e1b48 commit d48a80c

12 files changed

Lines changed: 35 additions & 19 deletions

File tree

.github/renovate.json

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,19 @@
225225
"datasourceTemplate": "golang-version",
226226
"versioningTemplate": "semver"
227227
},
228+
{
229+
"customType": "regex",
230+
"description": "Track NODE_VERSION in Actions workflows",
231+
"managerFilePatterns": [
232+
"/^\\.github/workflows/.*\\.yml$/"
233+
],
234+
"matchStrings": [
235+
"NODE_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
236+
],
237+
"depNameTemplate": "node",
238+
"datasourceTemplate": "node-version",
239+
"versioningTemplate": "node"
240+
},
228241
{
229242
"customType": "regex",
230243
"description": "Track GO_VERSION in Actions workflows",

.github/skills/test-e2e-playwright-coverage-scripts/run.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ start_vite() {
158158
# Ensure dependencies are installed
159159
if [[ ! -d "node_modules" ]]; then
160160
log_info "Installing frontend dependencies..."
161-
npm ci --silent
161+
npm ci --silent --ignore-scripts
162162
fi
163163

164164
# Start Vite in background with explicit port

.github/workflows/codecov-upload.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ jobs:
174174

175175
- name: Install dependencies
176176
working-directory: frontend
177-
run: npm ci
177+
run: npm ci --ignore-scripts
178178

179179
- name: Run frontend tests and coverage
180180
working-directory: ${{ github.workspace }}

.github/workflows/e2e-tests-split.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ on:
8282
pull_request:
8383

8484
env:
85-
NODE_VERSION: '20'
85+
NODE_VERSION: '24.12.0'
8686
GO_VERSION: '1.26.4'
8787
GOTOOLCHAIN: local
8888
DOCKERHUB_REGISTRY: docker.io
@@ -166,7 +166,7 @@ jobs:
166166

167167
- name: Install dependencies
168168
if: steps.resolve-image.outputs.image_source == 'build'
169-
run: npm ci
169+
run: npm ci --ignore-scripts
170170

171171
- name: Set up Docker Buildx
172172
if: steps.resolve-image.outputs.image_source == 'build'
@@ -304,7 +304,7 @@ jobs:
304304
exit 1
305305
306306
- name: Install dependencies
307-
run: npm ci
307+
run: npm ci --ignore-scripts
308308

309309
- name: Install Playwright Chromium
310310
run: |
@@ -506,7 +506,7 @@ jobs:
506506
exit 1
507507
508508
- name: Install dependencies
509-
run: npm ci
509+
run: npm ci --ignore-scripts
510510

511511
- name: Install Playwright Chromium (required by security-tests dependency)
512512
run: |
@@ -716,7 +716,7 @@ jobs:
716716
exit 1
717717
718718
- name: Install dependencies
719-
run: npm ci
719+
run: npm ci --ignore-scripts
720720

721721
- name: Install Playwright Chromium (required by security-tests dependency)
722722
run: |
@@ -953,7 +953,7 @@ jobs:
953953
exit 1
954954
955955
- name: Install dependencies
956-
run: npm ci
956+
run: npm ci --ignore-scripts
957957

958958
- name: Install Playwright Chromium
959959
run: |
@@ -1191,7 +1191,7 @@ jobs:
11911191
exit 1
11921192
11931193
- name: Install dependencies
1194-
run: npm ci
1194+
run: npm ci --ignore-scripts
11951195

11961196
- name: Install Playwright Chromium (required by security-tests dependency)
11971197
run: |
@@ -1437,7 +1437,7 @@ jobs:
14371437
exit 1
14381438
14391439
- name: Install dependencies
1440-
run: npm ci
1440+
run: npm ci --ignore-scripts
14411441

14421442
- name: Install Playwright Chromium (required by security-tests dependency)
14431443
run: |

.github/workflows/quality-checks.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -310,7 +310,7 @@ jobs:
310310
311311
- name: Install dependencies
312312
working-directory: frontend
313-
run: npm ci
313+
run: npm ci --ignore-scripts
314314

315315
- name: Run frontend tests and coverage
316316
id: frontend-tests

.github/workflows/release-goreleaser.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
# Inject version into frontend build from tag (if present)
6363
VERSION=${GITHUB_REF#refs/tags/}
6464
echo "VITE_APP_VERSION=${VERSION}" >> "$GITHUB_ENV"
65-
npm ci
65+
npm ci --ignore-scripts
6666
npm run build
6767
6868
- name: Install Cross-Compilation Tools (Zig)

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ RUN apk upgrade --no-cache && \
118118
# hadolint ignore=DL3059
119119
RUN npm install -g picomatch@4.0.4 --no-fund --no-audit
120120

121-
RUN npm ci
121+
RUN npm ci --ignore-scripts
122122

123123
# Copy frontend source and build
124124
COPY frontend/ ./

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ install:
3131
@echo "Installing backend dependencies..."
3232
cd backend && go mod download
3333
@echo "Installing frontend dependencies..."
34-
cd frontend && npm install
34+
cd frontend && npm install --ignore-scripts
3535

3636
# Install Go development tools
3737
install-tools:

frontend/package.json

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,15 @@
1010
"scripts": {
1111
"dev": "vite",
1212
"build": "tsc -p tsconfig.build.json && vite build",
13-
"pretype-check": "npm ci --silent",
13+
"pretype-check": "npm ci --silent --ignore-scripts",
1414
"type-check": "tsc --noEmit",
1515
"lint": "eslint . --report-unused-disable-directives",
1616
"preview": "vite preview",
1717
"test": "NODE_OPTIONS=--max-old-space-size=4096 vitest run",
1818
"test:ci": "NODE_OPTIONS=--max-old-space-size=4096 vitest run",
1919
"test:ui": "vitest --ui",
2020
"check-coverage": "bash ../scripts/frontend-test-coverage.sh",
21-
"pretest:coverage": "npm ci --silent && node -e \"require('fs').mkdirSync('coverage/.tmp', { recursive: true })\"",
21+
"pretest:coverage": "npm ci --silent --ignore-scripts && node -e \"require('fs').mkdirSync('coverage/.tmp', { recursive: true })\"",
2222
"test:coverage": "NODE_OPTIONS=--max-old-space-size=4096 vitest run --coverage",
2323
"e2e:install": "npx playwright install --with-deps",
2424
"e2e:test": "playwright test",
@@ -114,5 +114,8 @@
114114
"@vitejs/plugin-react": {
115115
"vite": "^8.0.16"
116116
}
117+
},
118+
"allowScripts": {
119+
"unrs-resolver": false
117120
}
118121
}

scripts/frontend-test-coverage.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ RUN_COVERAGE_DIR="coverage/.run-${PPID}-$$-$(date +%s)"
1919
cd "$FRONTEND_DIR"
2020

2121
# Ensure dependencies are installed for CI runs
22-
npm ci --silent
22+
npm ci --silent --ignore-scripts
2323

2424
# Ensure coverage output directories exist
2525
mkdir -p "$CANONICAL_COVERAGE_DIR"

0 commit comments

Comments
 (0)