Overview​

We have disabled NPM scripts in our Skpr container base images as a security measure in response to the Shai-Hulud worm attack.

For more information on the attack see this blog post from Socket.

Changes Applied​

We have added the following environment variables to our Node images.

• YARN_ENABLE_SCRIPTS=false
• NPM_CONFIG_IGNORE_SCRIPTS=true

Recommended Local Development Configuration​

To ensure local development environments are not compromised, we also recommend teams add the following to their .npmrc file:

ignore-scripts=true

Checking Blocked Scripts​

You can identify which scripts are now blocked with:

npm query ":attr(scripts, [postinstall])" | jq 'map(.name)'

Example output:

[
  "esbuild" 👈️ Flagging a dependency that has a postinstall script
]

To see what a blocked script would have executed:

npm view esbuild scripts.postinstall

Example output:

node install.js

You can then manually run the script by pointing to the full path:

node ./node_modules/esbuild/install.js

Include these manual execution steps in your build process where required.

Further Recommendations​

We encourage teams to evaluate alternative Node package managers that have built-in ignore-scripts workflows. For example, pnpm blocks scripts by default and provides a subcommand for approving projects when needed.

Overview​

Cluster authentication has improved theming and supports dark mode. Requires 0.34.8 of the cli.

Overview​

Our PHP versions have been updated to:

• 8.4.11
• 8.3.24

Link​

Pull Request #164

Overview​

Our PHP versions have been updated to:

• 8.4.10
• 8.3.23
• 8.2.29

Link​

Pull Request

Overview​

We have added local developer images for OpenSearch 2.x and 3.x.

# 2.x
docker.io/skpr/opensearch:dev-v2-2.x

# 3.x
docker.io/skpr/opensearch:dev-v2-3.x

Link​

• Pull Request: 2.x
• Pull Request: 3.x

Overview​

Our PHP versions have been updated to:

• 8.4.8
• 8.3.22

Link​

Pull Request

Overview​

Our PHP versions have been updated to:

• 8.4.8
• 8.3.22

Link​

Pull Request

Overview​

Provides a mechanism for returning a static page when a non-200 event occurs.

These static pages include:

• Overview of the error
• The request ID for tracing
• Dark mode

These pages are overridable during application packaging and can be customized to align with your sites design.

Link​

Pull Request Documentation

Overview​

We've introduced a new is_logged_in field in the Nginx logs to indicate whether a request was made by a logged-in user.

Link​

Pull Request

Overview​

Database images are now packaged and pushed to a dedicated repository for each environment.

This update enables us to securely manage database images by restricting them to their respective environments.

Developers are required to update their database image references.

How to update​

Before

xxxxxxxxx.dkr.ecr.ap-southeast-2.amazonaws.com/skpr-example-project/mysql:dev-default-latest

After

xxxxxxxxx.dkr.ecr.ap-southeast-2.amazonaws.com/skpr-example-project/mysql/dev:default-latest

Note that mysql:dev-default-latest became mysql/dev:default-latest in th example above.

What do I update?​

The database image it typically referenced in:

• Docker Compose
• CI/CD configuration (CircleCI/Github Actions)