Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#4699: analyzer/npm :: Add usage of --ignore-scripts parameter to "npm ci" in order to prevent unnecessary and risky script execution #4700

Merged
merged 1 commit into from Nov 17, 2021
Merged

#4699: analyzer/npm :: Add usage of --ignore-scripts parameter to "npm ci" in order to prevent unnecessary and risky script execution #4700

merged 1 commit into from Nov 17, 2021

Conversation

rockebee
Copy link

PR attempts to use --ignore-scripts parameter also in npm ci cases, not only for npm install.
(cmp. #4699 for respective issue description)

@rockebee rockebee requested a review from a team as a code owner November 15, 2021 11:14
mnonnenmacher
mnonnenmacher previously requested changes Nov 16, 2021
View reviewed changes
Copy link
Member

@mnonnenmacher mnonnenmacher left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rockebee Thank you for the contribution. Please sign your commit message (see the failing DCO check) and reformat it to match our standards, for example like so:

Npm: Add `--ignore-scripts` to `npm ci`

Add usage of `--ignore-scripts` to the `npm ci` call in order to prevent
unnecessary and risky script execution.

Fixes #4699.

@sschuberth
Copy link
Member

Quoting @rockebee from #4699:

Caveat: ignore-scripts was introduced with NPM 5.7.0 (together with npm ci itself), but was not supported in NPM versions 7.0.0 < 7.4.0 (link)

So, should we change the code to only pass --ignore-scripts to npm ci for version 5.7.0 to 7.0.0, or versions above 7.4.0?

@mnonnenmacher
Copy link
Member

Quoting @rockebee from #4699:

Caveat: ignore-scripts was introduced with NPM 5.7.0 (together with npm ci itself), but was not supported in NPM versions 7.0.0 < 7.4.0 (link)

So, should we change the code to only pass --ignore-scripts to npm ci for version 5.7.0 to 7.0.0, or versions above 7.4.0?

I understood the PR so that the option was still present but simply not working from 7.0.0-7.4.0.

@sschuberth
Copy link
Member

I understood the PR so that the option was still present but simply not working from 7.0.0-7.4.0.

Ah, ok. Then of course the code should be fine as-is.

@rockebee
Copy link
Author

@mnonnenmacher @sschuberth, thx for feedback. Commit message is now signed properly and commit message modified as suggested.
I agree that IMHO there is no need to exclude NPM versions 7.0.0 to < 7.4.0, as npm ci itself is properly working, just the --ignore-scripts flag was not working and ignored.

@sschuberth
Copy link
Member

Nit: There needs to be a blank line between

Fixes #4699.
Signed-off-by: Stefan Schwenkenbecher <38685542+rockebee@users.noreply.github.com>

to separate the body from the footer.

@rockebee
Npm: Add --ignore-scripts to npm ci
cd3e35d 
Add usage of `--ignore-scripts` to the `npm ci` call in order to prevent
unnecessary and risky script execution.

Fixes #4699.

Signed-off-by: Stefan Schwenkenbecher <38685542+rockebee@users.noreply.github.com>
@sschuberth sschuberth enabled auto-merge (rebase) November 17, 2021 16:40
@sschuberth sschuberth merged commit b68146b into oss-review-toolkit:master Nov 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sschuberth sschuberth sschuberth approved these changes

@mnonnenmacher mnonnenmacher mnonnenmacher left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rockebee @sschuberth @mnonnenmacher