Add .npmrc with security hardening settings#258
Conversation
Security hardening: ignore-scripts prevents malicious install scripts from running during npm install, and save-exact pins dependency versions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![constructor-claude-bedrock[bot]](https://avatars.githubusercontent.com/u/9828194?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This PR adds a .npmrc file with ignore-scripts=true and save-exact=true for supply chain security hardening, but ignore-scripts=true breaks the existing prepare lifecycle script that installs Husky git hooks.
Inline comments: 2 discussions added
Overall Assessment:
| @@ -0,0 +1,2 @@ | |||
| ignore-scripts=true | |||
There was a problem hiding this comment.
Critical Issue: Setting ignore-scripts=true will break the existing prepare script ("prepare": "husky install" in package.json). When any contributor runs npm install, Husky will no longer be set up automatically, meaning the pre-push lint hook (.husky/pre-push) won't be installed and will silently stop working.
The PR description mentions using a per-package allowlist (lifecycle-script-allowed[]=<pkg>) as a workaround, but that syntax is not supported by standard npm — it is specific to pnpm. For npm, there is no built-in per-package script allowlist.
Practical options to resolve this:
- Remove
ignore-scripts=trueand rely onpackage-lock.jsonintegrity +npm auditfor supply chain defense instead. - Replace
preparewith a manual step: Remove thepreparescript and document that contributors must runnpx husky installonce after cloning. Update the README accordingly. - Use a
.husky-aware workaround: Keep the setting but add a note in the README and CI configuration reminding contributors/CI to runnpm run prepareexplicitly afternpm install --ignore-scripts.
| @@ -0,0 +1,2 @@ | |||
| ignore-scripts=true | |||
| save-exact=true | |||
There was a problem hiding this comment.
Suggestion: save-exact=true only affects packages added via npm install <pkg> going forward — it does not pin the existing range-specifier dependencies already in package.json (e.g., "chai": "^4.3.4", "node-fetch": "^3.3.2", etc.). The existing devDependencies and dependencies still use ^ ranges, so reproducibility relies entirely on package-lock.json being committed and respected.
Consider updating the existing entries in package.json to exact versions to make the intent consistent, or document that package-lock.json is the primary reproducibility mechanism and save-exact=true is just a forward-looking guardrail.
There was a problem hiding this comment.
Pull request overview
Adds repository-level npm configuration to harden installs against supply-chain risks and improve reproducibility for dependency versioning in this Node.js client library.
Changes:
- Adds
.npmrcwithignore-scripts=trueto disable npm lifecycle scripts by default. - Adds
.npmrcwithsave-exact=trueso newly added dependencies are saved with exact versions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ignore-scripts=true | ||
| save-exact=true |
Summary
.npmrcwithignore-scripts=trueandsave-exact=trueignore-scripts=trueprevents arbitrary code execution duringnpm install(supply chain defense)save-exact=truepins exact dependency versions for reproducible buildsIf a package requires install scripts
Add a per-package allowlist in
.npmrc:Or run one-off with:
Context
Part of an org-wide security hardening initiative for all npm-based repositories.