Skip to content

chore(ci): npm ci --ignore-scripts#858

Merged
ianliuwk1019 merged 2 commits intomainfrom
chore/ci/ciIgnoreScripts
Nov 27, 2025
Merged

chore(ci): npm ci --ignore-scripts#858
ianliuwk1019 merged 2 commits intomainfrom
chore/ci/ciIgnoreScripts

Conversation

@DerekRoberts
Copy link
Member

@DerekRoberts DerekRoberts commented Nov 27, 2025
edited by github-actions bot
Loading

Re: Shai Hulud 2
Fix: via @basilv

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

Copilot AI review requested due to automatic review settings November 27, 2025 19:00
@DerekRoberts DerekRoberts self-assigned this Nov 27, 2025
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a security mitigation against the Shai Hulud 2 npm supply chain attack by adding the --ignore-scripts flag to npm ci commands across build environments. This prevents potentially malicious install scripts from executing during package installation.

Key Changes

  • Added --ignore-scripts flag to npm ci commands in Dockerfiles for api, admin, and public services
  • Updated one npm ci command in docker-compose.yml admin service with --ignore-scripts
  • Minor formatting improvements in docker-compose.yml (quote style, indentation)

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
public/Dockerfile Added --ignore-scripts to both npm ci commands in the build stage
api/Dockerfile Added --ignore-scripts to both npm ci commands in the build stage
admin/Dockerfile Added --ignore-scripts to both npm ci commands in the build stage
docker-compose.yml Partially applied --ignore-scripts to admin service, plus formatting improvements

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@DerekRoberts
Update docker-compose.yml
beb270f 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@DerekRoberts DerekRoberts requested a review from Copilot November 27, 2025 19:08
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ianliuwk1019
ianliuwk1019 approved these changes Nov 27, 2025
View reviewed changes
Copy link
Contributor

@ianliuwk1019 ianliuwk1019 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Derek.

@github-project-automation github-project-automation bot moved this from New to Waiting in DevOps (NR) Nov 27, 2025
@ianliuwk1019 ianliuwk1019 merged commit 0a71179 into main Nov 27, 2025
32 checks passed
@ianliuwk1019 ianliuwk1019 deleted the chore/ci/ciIgnoreScripts branch November 27, 2025 19:12
@github-project-automation github-project-automation bot moved this from Waiting to Done in DevOps (NR) Nov 27, 2025
@DerekRoberts DerekRoberts mentioned this pull request Nov 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ianliuwk1019 ianliuwk1019 ianliuwk1019 approved these changes

Assignees

@DerekRoberts DerekRoberts

Labels

None yet

Projects

DevOps (NR)
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DerekRoberts @ianliuwk1019