Security: Disable NPM package install scripts

See merge request tildes/tildes!178
2026-04-16 06:18:34 +02:00 · 2025-12-16 07:28:37 +00:00
parent 0942c41c29
commit 12eb879d81
2 changed files with 5 additions and 3 deletions
--- a/ansible/roles/nodejs/tasks/main.yml
+++ b/ansible/roles/nodejs/tasks/main.yml
@@ -18,3 +18,5 @@
    # --no-bin-links option is needed to prevent npm from creating symlinks in the .bin
    # directory, which doesn't work inside Vagrant on Windows
    no_bin_links: true
+    # Disable automatic running of package install scripts, for security
+    ignore_scripts: true
--- a/tildes/package-lock.json
+++ b/tildes/package-lock.json
@@ -1478,9 +1478,9 @@
      "license": "MIT"
    },
    "node_modules/js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {