Skip to content

Security/npm lockdown 2025 09 08 #1653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 9, 2025
Merged

Security/npm lockdown 2025 09 08 #1653

merged 2 commits into from
Sep 9, 2025

Conversation

rhyslbw
Copy link
Member

@rhyslbw rhyslbw commented Sep 9, 2025
edited
Loading

🛡️ Security: Block Compromised NPM Releases & Centralize Package Installation

Summary

This PR centralizes package installation across GitHub workflows and adds security measures to prevent malicious package versions sneaking in.

ℹ️ There are currently no known vulnerabilities in the dependency tree, but this is a proactive measure to guard against yesterday's supply chain attack.

Changes

1. Centralize Package Installation and Hardening

  • Created .github/actions/install/action.yml for centralized dependency installation
  • Updated all 9 workflows to use the new action
  • Added Yarn constraints infrastructure with empty rules file
  • Added GitHub variable support for DISABLE_NPM_SCRIPTS

2. Security Measures

  • Added blocklist in .yarn/constraints.pro for 19 malicious package versions
  • Pinned safe versions via resolutions in package.json:
    • color: 4.2.3, color-string: 1.9.1, color-convert: 2.0.1
    • color-name: 1.1.4, chalk: 4.1.2, plus 13 related packages

Benefits

  • Guards qix hack
  • Single source of truth for install logic
  • Automatic security verification on every install
  • Reduced duplication across workflows

@rhyslbw rhyslbw marked this pull request as draft September 9, 2025 09:07
@rhyslbw rhyslbw force-pushed the security/npm-lockdown-2025-09-08 branch from 45c2720 to e5a6f05 Compare September 9, 2025 09:15
@rhyslbw
ci: blocklist package installation in GitHub workflows
4546f26 
Create install action and update all workflows:

✅ Created .github/actions/install/action.yml
- Centralized yarn install with security flags
- Configurable install args and memory settings
- Clean max-old-space-size input (MB only)
- Mandatory yarn constraints verification
- GitHub variable support via ignore-scripts input

✅ Updated 9 workflows to use centralized action:
- continuous-integration-unit-tests.yaml
- continuous-integration-e2e.yaml
- continuous-integration-side-tests.yaml
- continuous-integration-blockfrost-e2e.yaml
- test-deploy-e2e.yaml
- k6-web-socket.yaml
- k6-wallets.yaml
- release.yaml
- post_integration.yml

✅ Added Yarn constraints infrastructure
- Installed @yarnpkg/plugin-constraints
- Configured in .yarnrc.yml
- Created empty .yarn/constraints.pro for rules
- Updated .gitignore to track constraints.pro
- All workflows map vars.DISABLE_NPM_SCRIPTS to action

🎯 Benefits:
- Single source of truth for install logic
- Easy to add constraint checks later
- Consistent security posture across all workflows
- Reduced duplication and maintenance burden
- Foundation ready for security policy enforcement
@rhyslbw rhyslbw force-pushed the security/npm-lockdown-2025-09-08 branch from e5a6f05 to ceddb03 Compare September 9, 2025 09:24
@rhyslbw rhyslbw marked this pull request as ready for review September 9, 2025 09:26
@rhyslbw rhyslbw marked this pull request as draft September 9, 2025 09:40
mkazlauskas
mkazlauskas previously approved these changes Sep 9, 2025
View reviewed changes
@rhyslbw
chore: block compromised npm releases & pin known-good versions (2025…
b7f44ec 
…-09-08)

Add security measures to prevent malicious package versions:

✅ Added Yarn constraints blocklist (.yarn/constraints.pro)
- Blocks 19 malicious versions of compromised packages
- Prevents installation of known bad releases
- Covers color, chalk, and related dependency chains

✅ Pinned exact safe versions via resolutions (package.json)
- color: 4.2.3 (last known good)
- color-string: 1.9.1 (last known good)
- color-convert: 2.0.1 (last known good)
- color-name: 1.1.4 (last known good)
- chalk: 4.1.2 (last known good)
- Plus 13 additional related packages

✅ Updated Yarn configuration
- Added constraints plugin
- Configured for security enforcement
- Updated lockfile with safe versions

🎯 Security Benefits:
- Prevents qix hack
- Blocks malicious postinstall scripts
- Ensures reproducible, secure builds
- Centralized security policy enforcement
@rhyslbw rhyslbw force-pushed the security/npm-lockdown-2025-09-08 branch from 3d922c7 to b7f44ec Compare September 9, 2025 13:41
@rhyslbw rhyslbw marked this pull request as ready for review September 9, 2025 14:03
@rhyslbw rhyslbw merged commit ec23c9e into master Sep 9, 2025
10 of 11 checks passed
@rhyslbw rhyslbw deleted the security/npm-lockdown-2025-09-08 branch September 9, 2025 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkazlauskas mkazlauskas mkazlauskas approved these changes

@AngelCastilloB AngelCastilloB Awaiting requested review from AngelCastilloB

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhyslbw @mkazlauskas