When installing dependencies, package managers like npm
will automatically execute shell scripts distributed along with the source
code. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.
Ask Yourself Whether
- The execution of dependency installation scripts is required for the application to function correctly.
There is a risk if you answered no to the question.
Recommended Secure Coding Practices
Execution of third-party scripts should be disabled if not strictly necessary for dependencies to work correctly. Doing this will reduce the attack
surface and block a well-known supply chain attack vector.
Sensitive Code Example
# Sensitive
RUN npm install
# Sensitive
RUN yarn install
Compliant Solution
RUN npm install --ignore-scripts
RUN yarn install --ignore-scripts
See