From 7b9d3695609cb372de04846379bd463b8e579fa0 Mon Sep 17 00:00:00 2001
From: Linearb CI <linearb-ci@gmail.com>
Date: Sat, 4 Apr 2026 11:49:15 +0300
Subject: [PATCH] security: harden npm install against supply chain attacks

- Add npm cache clean --force before install to prevent stale/malicious cached tarballs
- Add --ignore-scripts to block malicious postinstall hooks (e.g. axios CVE)
- Remove --silent to make installed versions visible in logs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 action.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 7c412725..104d12b1 100644
--- a/action.yml
+++ b/action.yml
@@ -117,10 +117,14 @@ runs:
       shell: bash
       run: mv gitstream code
 
+    - name: Clear npm cache
+      shell: bash
+      run: npm cache clean --force
+
     - name: Install Dependencies for plugins
       shell: bash
       continue-on-error: true
-      run: npm i --silent moment@2.30.1 lodash@4.18.1 axios@1.14.0 @octokit/rest@20.1.1
+      run: npm i --ignore-scripts moment@2.30.1 lodash@4.18.1 axios@1.14.0 @octokit/rest@20.1.1
 
     - name: Run RulesEngine
       shell: bash