Mitigate NPM supply chain attacks

Due to recent NPM supply chain attacks like the [Sha1-Hulud](https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised) and [Sha1-Hulud: The Second Coming](https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised), projects can mitigate attacks by ignoring npm lifecycle scripts and using pinned versions of the npm dependencies, and then re-generate the package-lock-json file.

**Ignoring Scrpts**

Consider adding the flag `--ignore-scripts` to the build GitHub Actions to prevent the execution of npm lifecycle scripts (e.g., pre-install and post-install). Sha1-Hulud relies on these scripts to exfiltrate data and replicate itself in the host machine.
```
npm ci --ignore-scripts
```
(Note than `npm-ci`, [ignore scripts is disabled by default](https://docs.npmjs.com/cli/v9/commands/npm-ci#ignore-scripts)).

**Pinned Versions for Dependecies**

Currently, the version number of the [npm dependencies and devDependencies ](https://github.com/Netcentric/fe-build/blob/main/package.json) use the caret character (`^`) which will update [minor and patch versions up to (but not) the next major version](https://semver.npmjs.com/).
```
  "dependencies": {
    "@babel/core": "^7.26.7",
    "@babel/plugin-transform-runtime": "^7.25.9",
    "@babel/preset-env": "^7.26.7",
    "autoprefixer": "^10.4.20",
    ...
  },
```
Removing the caret character (`^`) will harden deployment processes and slightly stop the worm.

———
Yours truly,
Rawl

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Mitigate NPM supply chain attacks #134

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Mitigate NPM supply chain attacks #134

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions