Skip to content

Add a secure NPM configuration#203

Merged
joshmgross merged 2 commits into
mainfrom
add-npmrc
Jun 1, 2026
Merged

Add a secure NPM configuration#203
joshmgross merged 2 commits into
mainfrom
add-npmrc

Conversation

@joshmgross

@joshmgross joshmgross commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

This sets up a .npmrc to require a minimum release age of 3 days for dependencies, disallow git dependencies, and ignore lifecycle scripts.

Disabling scripts is intended to prevent malicious postinstall scripts, but it has the side-effect of disabling existing defined lifecycle scripts in our own package.json. Those have been manually replaced with the equivalent script calls.

joshmgross
joshmgross commented Jun 1, 2026
View reviewed changes
Comment thread package.json
"pretest": "npm run build",
"test": "jest",
"version": "echo \"export const Version = '$npm_package_version'\" > src/version.ts && git add src/version.ts && npm run build",
"prepublishOnly": "npm run build"

@joshmgross joshmgross Jun 1, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our publish workflow already calls npm run build

database-js/.github/workflows/publish.yml

Lines 25 to 27 in 65d1caf

- run: npm run build
- run: npm test
- run: npm publish --provenance --access public

@joshmgross joshmgross merged commit 57bdfa6 into main Jun 1, 2026
8 checks passed
@joshmgross joshmgross deleted the add-npmrc branch June 1, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattrobenolt mattrobenolt mattrobenolt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshmgross @mattrobenolt