Skip to content

chore(npm): block dependency install scripts#974

Merged
overbalance merged 1 commit into
mainfrom
freeze/ignore-scripts
Nov 15, 2025
Merged

chore(npm): block dependency install scripts#974
overbalance merged 1 commit into
mainfrom
freeze/ignore-scripts

Conversation

@overbalance
Copy link
Copy Markdown
Member

@overbalance overbalance commented Nov 14, 2025

What problem is this solving?

Dependency postinstall scripts can execute arbitrary code during install, creating a security risk. This prevents malicious or unexpected scripts from running.

Short description of changes

  • Added ignore-scripts=true to .npmrc to block all dependency postinstall scripts
  • Removed include=optional from .npmrc (unused)
  • Added prepare script that explicitly runs lefthook install -f to maintain git hooks functionality

Testing

  • Verified lefthook hooks still install and run correctly
  • Confirmed 3 dependencies with postinstall scripts (esbuild, lefthook, protobufjs) are now blocked except via prepare script
  • Pre-commit hooks passed successfully

@overbalance overbalance requested a review from a team as a code owner November 14, 2025 22:17
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 14, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@overbalance overbalance self-assigned this Nov 14, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 14, 2025

Performance results

CDP Performance Tests

Number of Requests Size of Requests Script Duration Task Duration Heap Used Size
Requests +3 requests +29.60 KB
Page Loaded +14.76 ms +1.76 ms +0.91 MB
Generate 100 fetch requests +8.82 ms +44.84 ms +2.31 MB
Generate 100 XHR requests +33.82 ms +86.92 ms +2.39 MB
Click 100 buttons and generate 100 logs +30.75 ms +43.13 ms +2.92 MB
Throw a 100 exceptions +2.01 ms +25.71 ms +2.10 MB
End Session +6.86 ms +13.72 ms +2.98 MB
Total +3 requests +29.60 KB +97.02 ms +216.09 ms +13.61 MB

Lighthouse Startup Performance Tests

Difference Description
Total Blocking Time 0 ms Difference in Total Blocking Time: Sum of all time periods between FCP and Time to Interactive, when task length exceeded 50ms, expressed in milliseconds. Learn more about the Total Blocking Time metric.
Main Thread Time +57.42 ms Difference in Main Thread Time: Consider reducing the time spent parsing, compiling and executing JS. You may find delivering smaller JS payloads helps with this. Learn how to minimize main-thread work
Script Evaluation Time +42.21 ms Difference in Script Evaluation Time: Consider reducing the time spent parsing, compiling, and executing JS. You may find delivering smaller JS payloads helps with this. Learn how to reduce Javascript execution time.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 14, 2025

build results

vite-7 Platform Tests

Total Uncompressed Size Total Gzip Size
vite-7 - esnext +165.26 KB +47.83 KB
vite-7 - es2015 +172.13 KB +49.49 KB

vite-otel-latest Platform Tests

Total Uncompressed Size Total Gzip Size
vite-otel-latest - esnext +164.33 KB +49.52 KB
vite-otel-latest - es2015 +171.12 KB +51.14 KB

webpack-5 Platform Tests

Total Uncompressed Size Total Gzip Size
webpack-5 - esnext +122.81 KB +43.23 KB
webpack-5 - es2015 +123.49 KB +44.69 KB

@overbalance overbalance merged commit fb935b4 into main Nov 15, 2025
17 checks passed
@overbalance overbalance deleted the freeze/ignore-scripts branch November 15, 2025 00:04
@github-actions github-actions Bot mentioned this pull request Nov 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jpmunz jpmunz jpmunz approved these changes

Assignees

@overbalance overbalance

Labels

maintenance semver-patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@overbalance @jpmunz