Skip to content

Harden npm install security#413

Merged
ybiquitous merged 2 commits intomainfrom
harden-npm-install
May 4, 2026
Merged

Harden npm install security#413
ybiquitous merged 2 commits intomainfrom
harden-npm-install

Conversation

@ybiquitous
Copy link
Copy Markdown
Member

@ybiquitous ybiquitous commented May 4, 2026
edited
Loading

Which issue, if any, is this issue related to?

None

Is there anything in the PR that needs further explanation?

This PR adds three flags to .npmrc to reduce supply-chain risk:

  • allow-git = "none" — block git URL dependencies.
  • ignore-scripts = true — skip lifecycle scripts on install.
  • min-release-age = 3 — only install package versions at least 3 days old.

Note: contributors must run npm run prepare manually post-clone to set the local git hooks path, since ignore-scripts skips the prepare script.

Ref:

@ybiquitous
Harden npm install security
468f438 
Add three flags to `.npmrc` to reduce supply-chain risk:

- `allow-git = none` — block git URL dependencies.
- `ignore-scripts = true` — skip lifecycle scripts on install.
- `min-release-age = 3` — only install package versions at least 3 days old.

Note: contributors must run `npm run prepare` manually post-clone to set
the local git hooks path, since `ignore-scripts` skips the `prepare`
script.

Ref: https://github.com/lirantal/npm-security-best-practices/blob/a98aeb7197d3820686337f28ea96ffe94333457b/README.md
@ybiquitous ybiquitous added the pr: dependencies relates to dependencies label May 4, 2026
@ybiquitous ybiquitous marked this pull request as ready for review May 4, 2026 08:02
jeddy3
jeddy3 approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jeddy3 jeddy3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@ybiquitous ybiquitous merged commit aed2ea2 into main May 4, 2026
9 checks passed
@ybiquitous ybiquitous deleted the harden-npm-install branch May 4, 2026 10:00
This was referenced May 5, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeddy3 jeddy3 jeddy3 approved these changes

Assignees

No one assigned

Labels

pr: dependencies relates to dependencies

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ybiquitous @jeddy3