When installing dependencies, package managers like npm will automatically execute shell scripts distributed along with the source
code. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.
Ask Yourself Whether
- The execution of dependency installation scripts is required for the application to function correctly.
There is a risk if you answered no to the question.
Recommended Secure Coding Practices
Execution of third-party scripts should be disabled if not strictly necessary for dependencies to work correctly. Doing this will reduce the attack
surface and block a well-known supply chain attack vector.
Commands that are subject to this issue are: npm install, yarn install and yarn (yarn without
an explicit command will execute install).
Sensitive Code Example
FROM node:latest
# Sensitive
RUN npm install
FROM node:latest
# Sensitive
RUN yarn install
Compliant Solution
FROM node:latest
RUN npm install --ignore-scripts
FROM node:latest
RUN yarn install --ignore-scripts
See
