Skip to content

chore(.npmrc): ignore scripts #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 17, 2025
Merged

chore(.npmrc): ignore scripts #78

merged 1 commit into from
Sep 17, 2025

Conversation

Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Sep 17, 2025
edited
Loading

After the recent supply chain attacks that use install scripts, we should enable this everywhere.

This was already enabled in the main fastify repo as part of fastify/fastify#6108.
If this is approved and merged then I will do a batch of PRs to the rest of the repos.

Checklist

@Fdawgs
chore(.npmrc): ignore scripts
12ee9e5 
Signed-off-by: Frazer Smith <[email protected]>
@Fdawgs Fdawgs requested a review from mcollina September 17, 2025 08:22
mcollina
mcollina approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

In a lot of repositories we use @fastify/pre-commit to set up the pre-commit script (not sure here). We should ideally white-list that.

@Fdawgs
Copy link
Member Author

Fdawgs commented Sep 17, 2025
edited
Loading

lgtm

In a lot of repositories we use @fastify/pre-commit to set up the pre-commit script (not sure here). We should ideally white-list that.

Is there a way to whitelist? Only thing I can thing of is running npm rebuild @fastify/pre-commit

If not, maybe we just need to remove @fastify/pre-commit? From looking at where it is used it runs lint and test, both of which the CI workflows run anyway.

@Fdawgs Fdawgs requested a review from a team September 17, 2025 09:16
@jsumners
Copy link
Member

We should ideally white-list that.

The only way I see to enable that is https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts.

I'm not so convinced the pre-commit script is worth it any longer. In my view, it was meant to assure a commit is "clean" before it gets suggested as a change in a PR. But a lot of people just clone, edit, and PR. They never even install dependencies and simply rely on CI to do all of the work. Personally, I end up skipping it more often than not with -n because it's an annoying step that probably won't work due to all of the not-JavaScript stuff.

@jsumners jsumners mentioned this pull request Sep 17, 2025
Open
mcollina
mcollina approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina merged commit ebce4f4 into main Sep 17, 2025
17 checks passed
@Fdawgs Fdawgs deleted the chore/npmrc branch September 17, 2025 12:55
This was referenced Sep 17, 2025
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Sep 18, 2025
Merged
Merged
Merged
Merged
Merged
Merged
RodrigoDornelles pushed a commit to fastify/fastify-opensearch that referenced this pull request Sep 18, 2025
@Fdawgs
chore: add .npmrc file (#43)
a1b9886 
See fastify/deepmerge#78

Signed-off-by: Frazer Smith <[email protected]>
@Fdawgs Fdawgs mentioned this pull request Sep 18, 2025
Merged
Fdawgs added a commit to fastify/fastify-cli that referenced this pull request Sep 18, 2025
@Fdawgs
chore: add .npmrc file (#840)
f621db0 
See fastify/deepmerge#78

Signed-off-by: Frazer Smith <[email protected]>
This was referenced Sep 18, 2025
Closed
Merged
Closed
Open
Fdawgs added a commit to fastify/gh-issues-finder that referenced this pull request Sep 21, 2025
@Fdawgs
chore(.npmrc): ignore scripts
5206edf 
See fastify/deepmerge#78. This is a batch PR created by a script. Please review prior to merging.

Signed-off-by: Frazer Smith <[email protected]>
This was referenced Sep 21, 2025
Merged
Merged
Fdawgs added a commit to fastify/gh-issues-finder that referenced this pull request Sep 21, 2025
@Fdawgs
chore(.npmrc): ignore scripts (#478)
ae5752e 
See fastify/deepmerge#78. This is a batch PR created by a script. Please review prior to merging.

Signed-off-by: Frazer Smith <[email protected]>
This was referenced Sep 22, 2025
Open
Merged
Merged
Merged
Merged
Merged
Fdawgs added a commit to Fdawgs/node-unrtf that referenced this pull request Sep 23, 2025
@Fdawgs
chore(.npmrc): ignore scripts
b887c2e 
See fastify/deepmerge#78.
This was referenced Sep 23, 2025
Merged
Merged
Merged
Fdawgs added a commit to Fdawgs/node-unrtf that referenced this pull request Sep 23, 2025
@Fdawgs
chore(.npmrc): ignore scripts (#480)
61dd6df 
See fastify/deepmerge#78.
Fdawgs added a commit to Fdawgs/redact that referenced this pull request Oct 15, 2025
@Fdawgs
chore(.npmrc): ignore scripts
685ff1e 
See fastify/deepmerge#78
@Fdawgs Fdawgs mentioned this pull request Oct 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@Eomm Eomm Eomm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Fdawgs @jsumners @mcollina @Eomm