Improve package manager security

mcecode · mcecode · commit 709b12b44e9f · 2025-09-26T17:15:22.000+08:00
- Don't run install scripts automatically
- Set minimumReleaseAge
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -7,8 +7,6 @@ on:
     branches: [main]
 
 env:
-  # Installing Chrome is not required for linting files.
-  PUPPETEER_SKIP_DOWNLOAD: true
   # Output colored text
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -41,5 +41,7 @@ jobs:
         run:
           echo 0 | sudo tee
           /proc/sys/kernel/apparmor_restrict_unprivileged_userns
+      - name: Install Chrome
+        run: pnpm install-chrome-for-puppeteer
       - name: Run tests
         run: pnpm test
diff --git a/package.json b/package.json
@@ -38,7 +38,8 @@
 		"format": "prettier --write .",
 		"lint": "tsc && eslint && prettier --check .",
 		"test": "node --test --test-reporter spec test/test.js",
-		"test:update-snapshots": "node --test --test-reporter spec --test-update-snapshots test/test.js"
+		"test:update-snapshots": "node --test --test-reporter spec --test-update-snapshots test/test.js",
+		"install-chrome-for-puppeteer": "puppeteer browsers install chrome"
 	},
 	"dependencies": {
 		"chokidar": "^4.0.3",
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -1,2 +1,3 @@
-onlyBuiltDependencies:
-  - puppeteer
+# Reduce risk of installing compromised packages by only installing packages
+# that are at least a day old.
+minimumReleaseAge: 1440
