Skip to content

chore: mitigate npm supply-chain attacks via .npmrc file#1125

Open
ghostwriter wants to merge 2 commits into
xdebug:mainfrom
ghostwriter:dot-npmrc-configuration
Open

chore: mitigate npm supply-chain attacks via .npmrc file#1125
ghostwriter wants to merge 2 commits into
xdebug:mainfrom
ghostwriter:dot-npmrc-configuration

Conversation

@ghostwriter
Copy link
Copy Markdown

@ghostwriter ghostwriter commented May 21, 2026
edited
Loading

  • Add ignore-scripts=true to prevent execution of postinstall and other lifecycle scripts, supply-chain attack protection.

  • Add package-lock=true to ensure consistent dependency resolution across environments.

@ghostwriter
Mitigate npm supply-chain attacks via .npmrc file
222ec70 
- Add `ignore-scripts=true` to prevent execution of `postinstall` and other lifecycle scripts, supply-chain attack protection.
- Add `min-release-age=7` to avoids packages uploaded in the last 7 days, supply-chain attack protection. (Requires npm >= 11.10.0)
- Add `package-lock=true` to ensure consistent dependency resolution across environments.

Signed-off-by: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
@ghostwriter ghostwriter changed the title Mitigate npm supply-chain attacks via .npmrc file chore: mitigate npm supply-chain attacks via .npmrc file May 21, 2026
@ghostwriter
Drop cooldown period
ed836e0 
Signed-off-by: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ghostwriter