205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-18 03:19:51 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
5acb5a268567a6a5cfdff77e375eb149d2fdab1e
authentik/website/docs/developer-docs/setup/_npm-install-scripts-admonition.mdx
T
Teffen Ellis 3537ea544d website/docs: document npm install-script blocking (#22461) 
* website/docs: document npm install-script blocking

The repo's `.npmrc` sets `ignore-scripts=true` to neutralize the
dominant npm supply-chain attack pattern (preinstall/postinstall
payloads, as used by the recent "Shai-Hulud" and "Mini Shai-Hulud"
incidents). The trade-off is that a handful of packages that ship
native binaries — esbuild, chromedriver, tree-sitter — need to be
rebuilt explicitly when their install step is required.

Today this is implicit; a new contributor whose build fails because
esbuild's binary didn't unpack has no obvious next step except to
disable the protection. Documenting it in both setup guides points
them at `npm rebuild --foreground-scripts <pkg>` and makes the
"don't flip `ignore-scripts` off" guidance explicit.

No code or config changes — docs only.

Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>

* Use separate file.

* Apply suggestions from code review

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
2026-05-21 12:47:49 +00:00

12 lines
752 B
Plaintext
Raw Blame History

:::info NPM install scripts are disabled by default
The repository's NPM runtime configuration file (`.npmrc`) sets `ignore-scripts=true`. This means that `preinstall`/`install`/`postinstall` lifecycle scripts do not run during `npm ci`. This neutralizes a dominant NPM supply-chain attack pattern at the cost of skipping a few legitimate native-binary unpacks.
If the watch build fails because a package needs its install script (commonly `esbuild`, `chromedriver`, `tree-sitter`, or `tree-sitter-json`), rebuild only that package, for example:
```shell
npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json
```
**Do not** edit `.npmrc` to flip `ignore-scripts` off — that re-introduces the risk repository-wide.
:::
Reference in New Issue View Git Blame Copy Permalink