mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Teffen Ellis
3537ea544d
* website/docs: document npm install-script blocking The repo's `.npmrc` sets `ignore-scripts=true` to neutralize the dominant npm supply-chain attack pattern (preinstall/postinstall payloads, as used by the recent "Shai-Hulud" and "Mini Shai-Hulud" incidents). The trade-off is that a handful of packages that ship native binaries — esbuild, chromedriver, tree-sitter — need to be rebuilt explicitly when their install step is required. Today this is implicit; a new contributor whose build fails because esbuild's binary didn't unpack has no obvious next step except to disable the protection. Documenting it in both setup guides points them at `npm rebuild --foreground-scripts <pkg>` and makes the "don't flip `ignore-scripts` off" guidance explicit. No code or config changes — docs only. Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com> * Use separate file. * Apply suggestions from code review Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Dewi Roberts <dewi@goauthentik.io> --------- Signed-off-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>