When installing dependencies, package managers like
npm will automatically execute shell scripts distributed along with the source
code. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.
Ask Yourself Whether
- The execution of dependency installation scripts is required for the application to function correctly.
There is a risk if you answered no to the question.
Recommended Secure Coding Practices
Execution of third-party scripts should be disabled if not strictly necessary for dependencies to work correctly. Doing this will reduce the attack
surface and block a well-known supply chain attack vector.
Commands that are subject to this issue are:
yarn install and
an explicit command will execute
Sensitive Code Example
RUN npm install
RUN yarn install
RUN npm install --ignore-scripts
RUN yarn install --ignore-scripts