website/docs: document npm install-script blocking#22461
Merged
Conversation
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #22461 +/- ##
=======================================
Coverage 93.29% 93.29%
=======================================
Files 1032 1032
Lines 60062 60062
Branches 400 400
=======================================
Hits 56032 56032
Misses 4030 4030
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
tanberry
approved these changes
May 19, 2026
Contributor
tanberry
left a comment
tanberry
left a comment
There was a problem hiding this comment.
Thank you @GirlBossRush, this is very helpful. Especially the "do not turn off" explicitness.
GirlBossRush
force-pushed
the
docs/contributing-npm-script-blocking
branch
from
2fce6f1 to
ee3db01
Compare
The repo's `.npmrc` sets `ignore-scripts=true` to neutralize the dominant npm supply-chain attack pattern (preinstall/postinstall payloads, as used by the recent "Shai-Hulud" and "Mini Shai-Hulud" incidents). The trade-off is that a handful of packages that ship native binaries — esbuild, chromedriver, tree-sitter — need to be rebuilt explicitly when their install step is required. Today this is implicit; a new contributor whose build fails because esbuild's binary didn't unpack has no obvious next step except to disable the protection. Documenting it in both setup guides points them at `npm rebuild --foreground-scripts <pkg>` and makes the "don't flip `ignore-scripts` off" guidance explicit. No code or config changes — docs only. Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
GirlBossRush
force-pushed
the
docs/contributing-npm-script-blocking
branch
from
ee3db01 to
3715aaa
Compare
dominic-r
reviewed
May 21, 2026
| npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json | ||
| ``` | ||
|
|
||
| **Do not** edit `.npmrc` to flip `ignore-scripts` off — that re-introduces the risk repo-wide. |
Member
There was a problem hiding this comment.
ehhhh I'd say people can do what they please on their local machines (if not corp owned, but considering as this is contribution docs, probably just extern) We have the file for a reason and I don't really see the need to outline the fact to not modify this one over others. Anyways, if any npm files are modified we'll see it when a pr is opened
Contributor
There was a problem hiding this comment.
I think it's fine to mention it explicitly just in case some LLM tells them to do it as a quick fix. They can always ignore the note.
dewi-tik
approved these changes
May 21, 2026
Contributor
dewi-tik
left a comment
dewi-tik
left a comment
There was a problem hiding this comment.
Few minor suggestions otherwise all good
Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Contributor
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-10ba6de2e5d071a85839df50cdf1d0a3b6fdff9e
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-10ba6de2e5d071a85839df50cdf1d0a3b6fdff9eAfterwards, run the upgrade commands from the latest release notes. |
dominic-r
approved these changes
May 21, 2026
kensternberg-authentik
added a commit
that referenced
this pull request
May 21, 2026
* main: (28 commits) events: fix certificate typo (#22542) website/release: Release notes updates (#22543) providers/saml: handle XML declarations in unified endpoint (#22455) web: bump @sentry/browser from 10.52.0 to 10.53.1 in /web in the sentry group across 1 directory (#22472) core: bump library/golang from 1.26.2-trixie to 1.26.3-trixie in /lifecycle/container (#22516) core: bump sentry-sdk from 2.59.0 to 2.60.0 (#22513) core: bump github.com/go-openapi/runtime from 0.29.5 to 0.30.0 (#22511) core: bump djangorestframework-stubs[compatible-mypy] from 3.16.9 to 3.17.0 (#22512) website/docs: release notes: add absorb lms to integrations (#22534) core: bump library/node from 24 to 26 in /lifecycle/container (#22517) website/docs: document npm install-script blocking (#22461) ci: add dependency-review workflow (#22464) root: bind-mount .npmrc into Dockerfile npm ci stages (#22462) website/docs: add global to values.yaml snippets and update version (#22524) website/integrations: add absorb LMS (#22328) core: bump astral-sh/uv from 0.11.5 to 0.11.15 in /lifecycle/container (#22515) core: bump library/nginx from 1.29-trixie to 1.31-trixie in /website (#22520) ci: bump codecov/codecov-action from 6.0.0 to 6.0.1 in /.github/actions/test-results (#22522) core: bump aws-cdk-lib from 2.253.1 to 2.254.0 (#22514) core: bump goauthentik/fips-python from 3.14.3-slim-trixie-fips to 3.14.5-slim-trixie-fips in /lifecycle/container (#22518) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an
:::infoadmonition to both contributor setup guides explaining:.npmrcsetsignore-scripts=trueand why (neutralizes the dominant npm supply-chain attack class — "Shai-Hulud" / "Mini Shai-Hulud" payloads run frompreinstall)npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-jsonignore-scriptsoff" guidanceFiles touched:
website/docs/developer-docs/setup/full-dev-environment.mdx— admonition right aftermake installwebsite/docs/developer-docs/setup/frontend-dev-environment.md— admonition right aftermake node-installThis is docs-only — no code or config changes. The motivation is that the rationale for
.npmrcis currently only present as an inline comment in.npmrcitself; a contributor whose esbuild build silently fails has no obvious next step except to disable the protection, which is exactly what we want to discourage.Test plan
make docs/ website preview) passes:::infoadmonitions render correctlyweb/package.json/ root deps