Mitigate NPM supply chain attacks

Due to recent NPM supply chain attacks like the [Sha1-Hulud](https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised) and [Sha1-Hulud: The Second Coming](https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised), projects can mitigate attacks by ignoring npm lifecycle scripts and using pinned versions of the npm dependencies, and then re-generate the package-lock-json file.

**Ignoring Scrpts**

Consider adding the flag `--ignore-scripts` to the build GitHub Actions to prevent the execution of npm lifecycle scripts (e.g., pre-install and post-install). Sha1-Hulud relies on these scripts to exfiltrate data and replicate itself in the host machine.
```
npm ci --ignore-scripts
```
(Note that `npm-ci`, [ignore scripts is disabled by default](https://docs.npmjs.com/cli/v9/commands/npm-ci#ignore-scripts)).

**Pinned Versions for Dependecies**

Currently, the version number of the [stylelint dependency](https://github.com/Netcentric/stylelint-config/blob/main/package.json#L37) is using the caret character (`^`) which will update [minor and patch versions up to (but not) version 17.0.0](https://semver.npmjs.com/).
```
  "devDependencies": {
    "stylelint": "^16.26.0"
  },
```
Removing the caret character (`^`) will harden deployment processes and slightly stop the worm.

———
Yours truly,
Rawl

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mitigate NPM supply chain attacks #27

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Mitigate NPM supply chain attacks #27

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions