docs(security): harden package-manager supply-chain guidance#392
Conversation
|
This is a genuinely good hardening pass and the timing is right: blocking dependency lifecycle scripts before the first install is exactly the hole the recent npm postinstall worms drove through, so making it the default posture rather than an afterthought is the correct instinct. I also like that you kept the skill body at the principle level and pushed the version-specific matrix into the checklist, since that's the right split for keeping the skill readable while the detail lives where it belongs. The new "the audit passed, so it's safe" rationalization is a nice touch too, it's the exact wrong mental model this whole section is fighting. My one real question is maintenance. The per-version bands (pnpm 10.1-10.25 vs 10.26 vs 11+, npm 11.18, Yarn 4.14+) are precise today, but package-manager defaults churn fast, so this matrix is the part most likely to quietly go stale and mislead someone in six months. You've hedged it well with the "verify against the official docs before changing policy" line and the links, which I think is the right call, so I'm not asking you to drop the specificity. It might just be worth a one-line note at the top of that table that it's a point-in-time snapshot to check against current docs, plus a quick spot-check that the newest flag names (npm install-scripts ls, strict-allow-scripts) match current npm, since a couple of those are recent enough that I'd want to be sure. Everything's green and it's a clear improvement over the npm-only version, so I'm inclined to take it once we've figured out how to keep that matrix honest over time. |
Good call. I’ve now checked the version boundary directly rather than treating the current npm behavior as uniform. The command surface is valid in npm 11.18.0 and 12.0.1, and an isolated npm 12.0.1 probe with a real dependency
The lower boundary matters too: npm 11.12.1 does not expose the
I’ll also add the one-line version-sensitive snapshot note above the matrix and keep the first-party links as the authoritative check for the project’s pinned version. That should preserve the useful precision without silently treating either the newest defaults or the newest commands as universally available. |
Date the version matrix and distinguish fallback, npm 11.18.x, and npm 12.x behavior using verified lifecycle-script probes.
|
Implemented in 509281d. |
addyosmani
left a comment
There was a problem hiding this comment.
This is exactly the response I was hoping for, and then some. Actually probing the version boundaries beats the "add a caveat" fix I suggested, and finding that 11.12.1 has no install-scripts namespace at all is the kind of thing that would have quietly bitten someone. The three-case split plus the snapshot note lands it. Concern fully addressed, checks green, good to go from my side. Nice work @federicobartoli.
Summary
Strengthens the existing dependency supply-chain guidance by making it package-manager-aware and safe before dependency lifecycle scripts are allowed to execute.
Why
The dependency-upgrade workflow added in #346 correctly delegates audit triage and supply-chain risk to
security-and-hardening, but the existing guidance primarily uses npm examples and does not define a complete gate for reviewing lifecycle scripts before they execute.Known-vulnerability auditing and install-script containment address different risks. This change makes that distinction operational without introducing a third-party dependency or a new workflow.
Scope
security-and-hardeningskill and checklist.Fixes #391