Skip to content

Harden npm install security#562

Merged
ybiquitous merged 1 commit intomainfrom
harden-npm-install
May 5, 2026
Merged

Harden npm install security#562
ybiquitous merged 1 commit intomainfrom
harden-npm-install

Conversation

@ybiquitous
Copy link
Copy Markdown
Member

@ybiquitous ybiquitous commented May 5, 2026

Which issue, if any, is this issue related to?

Same as stylelint/stylelint-config-standard#413

Is there anything in the PR that needs further explanation?

Add three flags to .npmrc to reduce supply-chain risk:

  • allow-git = "none" — block git URL dependencies.
  • ignore-scripts = true — skip lifecycle scripts on install.
  • min-release-age = 3 — only install package versions at least 3 days old.

Note: contributors must run npm run prepare manually post-clone to set the local git hooks path, since ignore-scripts skips the prepare script.

Ref: https://github.com/lirantal/npm-security-best-practices/blob/a98aeb7197d3820686337f28ea96ffe94333457b/README.md

@ybiquitous
Harden npm install security
d5072a4 
Add three flags to `.npmrc` to reduce supply-chain risk:

- `allow-git = "none"` — block git URL dependencies.
- `ignore-scripts = true` — skip lifecycle scripts on install.
- `min-release-age = 3` — only install package versions at least 3 days old.

Note: contributors must run `npm run prepare` manually post-clone to set
the local git hooks path, since `ignore-scripts` skips the `prepare`
script.

Ref: https://github.com/lirantal/npm-security-best-practices/blob/a98aeb7197d3820686337f28ea96ffe94333457b/README.md
@ybiquitous ybiquitous added the pr: dependencies relates to dependencies label May 5, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented May 5, 2026
edited
Loading

Deploy Preview for chimerical-trifle-8d3c21 ready!

Name Link
🔨 Latest commit d5072a4
🔍 Latest deploy log https://app.netlify.com/projects/chimerical-trifle-8d3c21/deploys/69f97f9e7f5c5c0008e57ff4
😎 Deploy Preview https://deploy-preview-562--chimerical-trifle-8d3c21.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@ybiquitous ybiquitous merged commit 502c6e8 into main May 5, 2026
12 checks passed
@ybiquitous ybiquitous deleted the harden-npm-install branch May 5, 2026 06:23
@ybiquitous ybiquitous mentioned this pull request May 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeddy3 jeddy3 jeddy3 approved these changes

Assignees

No one assigned

Labels

pr: dependencies relates to dependencies

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ybiquitous @jeddy3