New npm allowScripts
After a number of security breaches, npm is finally starting to up their security game. Hooray for everyone, but also it means more work.
New “/tools” and “.tmp” folders
I’ve created a new “tools” folder to help audit npm scripts. It contains 1 shell script: audit-npm-script-package.sh which is run by calling npm run audit-script <pkg>@<version> in the terminal.
This script outputs some files into a .gitingored folder, .tmp/npm-audit/<folder-name>.
The process for reviewing these files is:
folder/explain.txt(output of runningnpm explain <pkg>) to see which package called itfolder/lifecycle-scripts.txtto see what lifecycle scripts (namely postinstalls) are being called and whyfolder/npm-view.jsonwhich echoes a few keys frompackage.json, namelyscripts,repositoryanddist.integrity- Just making sure all is as expected given the last RAT attack (here’s a funny, quick and NSFW video about it)
- If needed, check out
folder/risky-patterns/*for a further breakdown
Once you’ve determined things are good, add it to package.allowedScripts and don’t add the ^ flag to the version number!