* website/docs: document npm install-script blocking
The repo's `.npmrc` sets `ignore-scripts=true` to neutralize the
dominant npm supply-chain attack pattern (preinstall/postinstall
payloads, as used by the recent "Shai-Hulud" and "Mini Shai-Hulud"
incidents). The trade-off is that a handful of packages that ship
native binaries — esbuild, chromedriver, tree-sitter — need to be
rebuilt explicitly when their install step is required.
Today this is implicit; a new contributor whose build fails because
esbuild's binary didn't unpack has no obvious next step except to
disable the protection. Documenting it in both setup guides points
them at `npm rebuild --foreground-scripts <pkg>` and makes the
"don't flip `ignore-scripts` off" guidance explicit.
No code or config changes — docs only.
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
* Use separate file.
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Teffen Ellis