Context Navigation

← Previous Ticket
Next Ticket →

#64543 new task (blessed)

Implement `ignore-scripts` to harden npm usage

Reported by:	johnbillion	Owned by:
Milestone:	Awaiting Review	Priority:	normal
Severity:	normal	Version:
Component:	Build/Test Tools	Keywords:
Focuses:	javascript	Cc:

Description

Lifecycle scripts in npm packages -- in particular postInstall scripts -- are a significant security concern because by default they execute automatically for all dependencies.

Running npm install or npm ci not only installs packages but also runs the postInstall script in every direct and transitive dependency in the entire dependency tree. The recent "Shai-Hulud" supply chain attack on the npm ecosystem has been successful in part due to postInstall scripts that have allowed it to rapidly self-propagate.

We should strongly consider implementing ignore-scripts = true in the .npmrc file in order to disable the automatic execution of lifecycle scripts. This will primarily help protect contributors against malicious postInstall scripts that may be introduced by attacks on packages in the dependency tree.

Ironically WordPress core just introduced its own postInstall script in #64393. This is far from ideal.

Making this change will cause some short-term pain while we determine the best way to ensure that all dependencies continue to work and/or provide clear instructions for contributors if manual subsequent steps become necessary. As the ecosystem reels from "Shai-Hulud" supply chain attack I fully expect to see more packages remove their postInstall scripts in favour of documenting subsequent steps necessary to, for example, install dependent binaries.

There's some tooling available to assist with determining which dependencies include lifecycle scripts, but not a lot: