Releases: alphagov/govuk-prototype-kit
Releases · alphagov/govuk-prototype-kit
v13.20.0
New features
When you install plugins using the 'Manage prototype' page or install other dependencies using the npm command:
- npm scripts will no longer be run for the installed plugins or dependencies
- you will not be able to install plugins or dependencies using Git references if you're using npm v11.10.0 or later
This only applies to new prototypes created usingnpx govuk-prototype-kit@latest create.
To protect existing prototypes, add the following lines to the.npmrcfile in your prototype:
ignore-scripts=true
allow-git=none
We've made these changes to help protect Prototype Kit users against supply chain attacks, where malicious code is included in a dependency.
It's still possible for dependencies to execute malicious code. Make sure you only install dependencies from trusted sources.
#2519: Disable npm scripts and installing from git dependencies by default for new prototypes
Fixes
- #2516: Update immutable
- #2518: Only fetch plugin package info from NPM when needed – thanks to @RichardBradley for reporting this issue and contributing a fix
- #2524: Update brace-expansion, path-to-regexp, picomatch, socket.io-parser, lodash and other dev dependencies
Contributors
RichardBradley
Assets 2
v13.19.1
v13.19.0
v13.18.1
v13.18.0
v13.17.0
New features
- #2434: Apply brand updates manage prototype pages
- #2443: Add support for Node 22
- #2439: Replace custom nav on management pages with service navigation
Fixes
- #2408: Fix kit version update link
- #2420: Fixing the default homepage
- #2425: Fix open redirect vuln in login page
- #2437: Fix version logic for showing whether a plugin has updates
- #2442: Avoid warnings in the console when Sass files get compiled
- #2413: Update dependencies to resolve npm audit warnings
- #2417: Causing an error when session-data-defaults is malformed
