When installing dependencies, package managers like npm will automatically execute shell scripts distributed along with the source
code. Post-install scripts, for example, are a common way to execute malicious code at install time whenever a package is compromised.
Ask Yourself Whether
- The execution of dependency installation scripts is required for the application to function correctly.
There is a risk if you answered no to the question.
Recommended Secure Coding Practices
Execution of third-party scripts should be disabled if not strictly necessary for dependencies to work correctly. Doing this will reduce the attack
surface and block a well-known supply chain attack vector.
Commands that are subject to this issue are: npm install, yarn install and yarn (yarn without
an explicit command will execute install).
Sensitive Code Example
name: Build
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: npm install # Sensitive
name: Build
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: yarn install # Sensitive
Compliant Solution
name: Build
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: npm install --ignore-scripts
name: Build
on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: |
yarn install --ignore-scripts
# for yarn 2.x and later
YARN_ENABLE_SCRIPTS=false yarn install
See
