NPM Script Execution Disabled
Overview
We have disabled NPM scripts in our Skpr container base images as a security measure in response to the Shai-Hulud worm attack.
For more information on the attack see this blog post from Socket.
Changes Applied
We have added the following environment variables to our Node images.
YARN_ENABLE_SCRIPTS=falseNPM_CONFIG_IGNORE_SCRIPTS=true
Recommended Local Development Configuration
To ensure local development environments are not compromised, we also recommend teams add the following to their .npmrc file:
ignore-scripts=true
Checking Blocked Scripts
You can identify which scripts are now blocked with:
npm query ":attr(scripts, [postinstall])" | jq 'map(.name)'
Example output:
[
"esbuild" 👈️ Flagging a dependency that has a postinstall script
]
To see what a blocked script would have executed:
npm view esbuild scripts.postinstall
Example output:
node install.js
You can then manually run the script by pointing to the full path:
node ./node_modules/esbuild/install.js
Include these manual execution steps in your build process where required.
Further Recommendations
We encourage teams to evaluate alternative Node package managers that have built-in ignore-scripts workflows. For example, pnpm blocks scripts by default and provides a subcommand for approving projects when needed.