Skip to content

fix(security)!: disable node scripts by default#717

Open
xnyo wants to merge 4 commits into
mainfrom
giuseppe/node-pm-ignore-scripts
Open

fix(security)!: disable node scripts by default#717
xnyo wants to merge 4 commits into
mainfrom
giuseppe/node-pm-ignore-scripts

Conversation

@xnyo
Copy link
Copy Markdown
Member

@xnyo xnyo commented May 12, 2026
edited
Loading

Disables scripts before running npm/yarn/pnpm install in the frontend action and playwright action. This improves security and protects against npm supply chain attacks that use pre-install, install or post-install scripts to inject malicious payloads.

If those scripts are required, the new node-package-manager-allow-scripts input can be used to restore the old behavior.

For repositories using pnpm, a better approach than using node-package-manager-allow-scripts is to allowlist only the specific packages that genuinely need build scripts, reducing the blast radius. The setting to use depends on the pnpm version:

pnpm ≤9 and pnpm 10 (before 10.26) — add to package.json:

{
  "pnpm": {
    "onlyBuiltDependencies": ["esbuild", "sharp"]
  }
}

pnpm 10.26+ — add to pnpm-workspace.yaml:

allowBuilds:
  esbuild: true
  sharp: true

pnpm 11+ — same as above (onlyBuiltDependencies is removed in pnpm 11, allowBuilds is the only supported option):

allowBuilds:
  esbuild: true
  sharp: true

Note: pnpm 10+ already disables lifecycle scripts by default for all dependencies, so --ignore-scripts has no additional effect for projects on pnpm 10 or later. The CI change is most impactful for npm and yarn projects.

@xnyo xnyo self-assigned this May 12, 2026
@xnyo xnyo added the security The issue is related to a security vulnerability label May 12, 2026
xnyo
xnyo commented May 12, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml
run: |
if [ -f "./cspell.config.json" ]; then
npx --yes cspell@6.13.3 -c cspell.config.json "**/*.{ts,tsx,js,go,md,mdx,yml,yaml,json,scss,css}"
npx --yes --ignore-scripts cspell@6.13.3 -c cspell.config.json "**/*.{ts,tsx,js,go,md,mdx,yml,yaml,json,scss,css}"
Copy link
Copy Markdown
Member Author

@xnyo xnyo May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cspell doesn't have any lifecycle scripts for install, so it's safe to always skip the, regardless of the value of node-package-manager-allow-scripts

@xnyo xnyo moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team May 12, 2026
@xnyo xnyo moved this from 🔬 In review to 🧑‍💻 In development in Grafana Catalog Team May 12, 2026
@xnyo xnyo marked this pull request as ready for review May 12, 2026 10:57
@xnyo xnyo requested a review from a team as a code owner May 12, 2026 10:57
@xnyo xnyo requested review from leventebalogh, sunker and wbrowne May 12, 2026 10:57
@xnyo xnyo moved this from 🧑‍💻 In development to 🔬 In review in Grafana Catalog Team May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KristianGrafana KristianGrafana KristianGrafana approved these changes

@wbrowne wbrowne Awaiting requested review from wbrowne wbrowne is a code owner automatically assigned from grafana/grafana-catalog

@sunker sunker Awaiting requested review from sunker sunker is a code owner automatically assigned from grafana/grafana-catalog

@leventebalogh leventebalogh Awaiting requested review from leventebalogh leventebalogh is a code owner automatically assigned from grafana/grafana-catalog

@tolzhabayev tolzhabayev Awaiting requested review from tolzhabayev

At least 1 approving review is required to merge this pull request.

Assignees

@xnyo xnyo

Labels

security The issue is related to a security vulnerability

Projects

Grafana Catalog Team
Status: 🔬 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xnyo @KristianGrafana