Skip to content

Use --ignore-scripts in release and preview-release installs#16715

Closed
matthewp wants to merge 2 commits into
mainfrom
ci/ignore-scripts
Closed

Use --ignore-scripts in release and preview-release installs#16715
matthewp wants to merge 2 commits into
mainfrom
ci/ignore-scripts

Conversation

@matthewp
Copy link
Copy Markdown
Contributor

@matthewp matthewp commented May 12, 2026

Summary

  • Adds --ignore-scripts to all pnpm install calls in release.yml and preview-release.yml
  • Prevents transitive packages from running lifecycle scripts (postinstall, prepare, etc.) in these privileged contexts that have id-token: write

Even with a frozen lockfile, a compromised dependency could execute arbitrary code during install via lifecycle scripts. --ignore-scripts closes that vector.

Part of supply chain hardening in response to the TanStack/Mini Shai-Hulud compromise.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 12, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: c2d3850

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions github-actions Bot added the 🚨 action Modifies GitHub Actions label May 12, 2026
delucis
delucis requested changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@delucis delucis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the intention is to block dependency scripts, we should probably configure allowBuilds to explicitly disable packages with known scripts instead. (By default, pnpm will already block script execution in dependencies on install). We could also enable strictDepBuilds to get an error for any build scripts we haven’t set a policy for if we want.

It’s a bit pointless adding this flag unless we also want to block scripts in our own packages inside the monorepo, so I’d suggest not adding it unless that’s the intent (AI is very happy to write these comments, but doesn’t mean they’re correct 😄)

@ematipico
Copy link
Copy Markdown
Member

ematipico commented May 12, 2026

Prevents transitive packages from running lifecycle scripts

Are you sure it's correct? The pnpm docs say something different

Do not execute any scripts defined in the project package.json and its dependencies.

@github-actions github-actions Bot removed the 🚨 action Modifies GitHub Actions label May 12, 2026
@matthewp
Copy link
Copy Markdown
Contributor Author

matthewp commented May 12, 2026

Putting it into draft since @delucis is doing a pnpm 11 upgrade.

@matthewp matthewp marked this pull request as draft May 12, 2026 17:21
@matthewp
Copy link
Copy Markdown
Contributor Author

matthewp commented May 12, 2026

Closing in favor of #16716

@matthewp matthewp closed this May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@delucis delucis delucis requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@matthewp @ematipico @delucis