mirror of
https://github.com/prometheus/prometheus.git
synced 2026-06-09 00:22:19 -04:00
ui: add supply-chain hardening .npmrc (#18794)
Set ignore-scripts=true, allow-git=none, and min-release-age=3 to harden npm installs against lifecycle script abuse, git-sourced dependencies, and recently published packages. Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
This commit is contained in:
Julien
GitHub
parent
27925e446c
commit
1dd4d3f6c3
1 changed files with 9 additions and 0 deletions
9
web/ui/.npmrc
Normal file
9
web/ui/.npmrc
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
ignore-scripts=true
|
||||
# Prevent installing packages sourced directly from git. Such packages bypass
|
||||
# registry integrity checks and can ship their own .npmrc that re-enables
|
||||
# lifecycle scripts, silently defeating ignore-scripts above.
|
||||
allow-git=none
|
||||
# Require packages to be published for at least 3 days before they can be
|
||||
# installed. This mitigates transient supply-chain attacks where a malicious
|
||||
# package is published and quickly pulled in before the community can react.
|
||||
min-release-age=3
|
||||
Loading…
Reference in a new issue