From a0ea5e7cac13a49ba9acc117cea10e42bd7d682a Mon Sep 17 00:00:00 2001 From: saileshwar-skyflow Date: Thu, 4 Jun 2026 00:14:00 +0530 Subject: [PATCH 1/4] =?UTF-8?q?SK-2839:=20harden=20against=20supply=20chai?= =?UTF-8?q?n=20attacks=20=E2=80=94=20pin=20deps=20and=20add=20--ignore-scr?= =?UTF-8?q?ipts=20to=20CI?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Pin all ^/~ version ranges in package.json and example/package.json to exact lockfile-resolved versions (yarn.lock source of truth) - Add --ignore-scripts to all npm install steps in CI workflows to block arbitrary postinstall execution from compromised packages - Create .npmrc with comment explaining why ignore-scripts=true was omitted globally (example/postinstall=patch-package is a legitimate required hook) Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/CI.yml | 5 ++- .github/workflows/beta-release.yml | 5 ++- .github/workflows/internal-release.yml | 5 ++- .github/workflows/main.yml | 5 ++- .github/workflows/release.yml | 5 ++- .npmrc | 3 ++ example/package.json | 14 ++++---- package.json | 46 +++++++++++++------------- 8 files changed, 53 insertions(+), 35 deletions(-) create mode 100644 .npmrc diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index eb5702f..4891c4d 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -29,7 +29,10 @@ jobs: node-version: 14.21.3 - name: install node_modules - run: npm install + # --ignore-scripts: guard against supply-chain postinstall execution. + # example/postinstall (patch-package) is not triggered here (root install only). + # react-native native postinstall not required — CI runs JS tests/build only. + run: npm install --ignore-scripts - name: Run spellcheck run: npm run spellcheck diff --git a/.github/workflows/beta-release.yml b/.github/workflows/beta-release.yml index ae90c66..3108d21 100644 --- a/.github/workflows/beta-release.yml +++ b/.github/workflows/beta-release.yml @@ -19,7 +19,10 @@ jobs: with: node-version: 14.21.3 registry-url: 'https://registry.npmjs.org' - - run: npm install + # --ignore-scripts: guard against supply-chain postinstall execution. + # example/postinstall (patch-package) is not triggered here (root install only). + # react-native native postinstall not required — CI runs JS tests/build only. + - run: npm install --ignore-scripts - name: Build run: npm run build diff --git a/.github/workflows/internal-release.yml b/.github/workflows/internal-release.yml index e756c3d..a7723d8 100644 --- a/.github/workflows/internal-release.yml +++ b/.github/workflows/internal-release.yml @@ -24,7 +24,10 @@ jobs: with: node-version: 14.21.3 - - run: npm install + # --ignore-scripts: guard against supply-chain postinstall execution. + # example/postinstall (patch-package) is not triggered here (root install only). + # react-native native postinstall not required — CI runs JS tests/build only. + - run: npm install --ignore-scripts - name: Get Previous tag id: previoustag diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index eaa5685..08a7d43 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,7 +15,10 @@ jobs: node-version: 14.21.3 - name: install node_modules - run: npm install + # --ignore-scripts: guard against supply-chain postinstall execution. + # example/postinstall (patch-package) is not triggered here (root install only). + # react-native native postinstall not required — CI runs JS tests/build only. + run: npm install --ignore-scripts - name: Run tests run: npm run test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9bcd2dc..3f72715 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,10 @@ jobs: - name: install modules - run: npm install + # --ignore-scripts: guard against supply-chain postinstall execution. + # example/postinstall (patch-package) is not triggered here (root install only). + # react-native native postinstall not required — CI runs JS tests/build only. + run: npm install --ignore-scripts - name: Get Previous tag id: previoustag diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..90e08a1 --- /dev/null +++ b/.npmrc @@ -0,0 +1,3 @@ +# ignore-scripts not set globally — example/package.json uses postinstall=patch-package +# for required dependency patches, and react-native may use native postinstall scripts. +# Apply --ignore-scripts selectively per CI workflow step instead (see .github/workflows/). diff --git a/example/package.json b/example/package.json index 97db816..13e052b 100644 --- a/example/package.json +++ b/example/package.json @@ -12,7 +12,7 @@ }, "dependencies": { "react": "18.2.0", - "react-native": "^0.71.19" + "react-native": "0.71.19" }, "resolutions": { "@babel/runtime": "^7.26.10", @@ -20,12 +20,12 @@ "brace-expansion": "^1.1.12" }, "devDependencies": { - "@babel/core": "^7.12.10", - "@babel/runtime": "^7.12.5", - "babel-plugin-module-resolver": "^5.0.0", - "metro-react-native-babel-preset": "^0.67.0", - "patch-package": "^6.4.7", - "postinstall-postinstall": "^2.1.0", + "@babel/core": "7.26.0", + "@babel/runtime": "7.27.6", + "babel-plugin-module-resolver": "5.0.2", + "metro-react-native-babel-preset": "0.73.10", + "patch-package": "6.5.1", + "postinstall-postinstall": "2.1.0", "react-test-renderer": "18.1.0" } } diff --git a/package.json b/package.json index 63f6cf9..4e4716b 100644 --- a/package.json +++ b/package.json @@ -42,28 +42,28 @@ "author": "Skyflow", "license": "MIT", "devDependencies": { - "@arkweid/lefthook": "^0.7.7", - "@babel/eslint-parser": "^7.18.2", - "@commitlint/config-conventional": "^17.0.2", - "@react-native-community/eslint-config": "^3.0.2", - "@testing-library/react-native": "^11.3.0", - "@types/jest": "^28.1.2", - "@types/lodash": "^4.14.185", - "@types/react": "~17.0.21", + "@arkweid/lefthook": "0.7.7", + "@babel/eslint-parser": "7.25.9", + "@commitlint/config-conventional": "17.8.1", + "@react-native-community/eslint-config": "3.2.0", + "@testing-library/react-native": "11.5.4", + "@types/jest": "28.1.8", + "@types/lodash": "4.17.13", + "@types/react": "17.0.21", "@types/react-native": "0.68.0", - "commitlint": "^17.0.2", + "commitlint": "17.8.1", "cspell": "4.2.8", - "eslint": "^8.4.1", - "eslint-config-prettier": "^8.5.0", - "eslint-plugin-prettier": "^4.0.0", - "jest": "^28.1.1", - "pod-install": "^0.1.0", - "prettier": "^2.0.5", + "eslint": "8.57.1", + "eslint-config-prettier": "8.10.0", + "eslint-plugin-prettier": "4.2.1", + "jest": "28.1.3", + "pod-install": "0.1.39", + "prettier": "2.8.8", "react": "18.0.0", - "react-native": "^0.71.19", - "react-native-builder-bob": "^0.18.3", - "react-test-renderer": "^18.2.0", - "typescript": "^4.5.2" + "react-native": "0.71.19", + "react-native-builder-bob": "0.18.3", + "react-test-renderer": "18.3.1", + "typescript": "4.9.5" }, "resolutions": { "@types/react": "17.0.21", @@ -133,9 +133,9 @@ ] }, "dependencies": { - "jwt-decode": "^3.1.2", - "lodash": "^4.17.21", - "react-native-uuid": "^2.0.1", - "set-value": "^4.1.0" + "jwt-decode": "3.1.2", + "lodash": "4.17.21", + "react-native-uuid": "2.0.3", + "set-value": "4.1.0" } } From 5a01ce9b11ae80cffe80fea0502b8008908cc35d Mon Sep 17 00:00:00 2001 From: saileshwar-skyflow Date: Thu, 4 Jun 2026 23:46:15 +0530 Subject: [PATCH 2/4] SK-2389: revert example/package.json --- example/package.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/example/package.json b/example/package.json index 13e052b..97db816 100644 --- a/example/package.json +++ b/example/package.json @@ -12,7 +12,7 @@ }, "dependencies": { "react": "18.2.0", - "react-native": "0.71.19" + "react-native": "^0.71.19" }, "resolutions": { "@babel/runtime": "^7.26.10", @@ -20,12 +20,12 @@ "brace-expansion": "^1.1.12" }, "devDependencies": { - "@babel/core": "7.26.0", - "@babel/runtime": "7.27.6", - "babel-plugin-module-resolver": "5.0.2", - "metro-react-native-babel-preset": "0.73.10", - "patch-package": "6.5.1", - "postinstall-postinstall": "2.1.0", + "@babel/core": "^7.12.10", + "@babel/runtime": "^7.12.5", + "babel-plugin-module-resolver": "^5.0.0", + "metro-react-native-babel-preset": "^0.67.0", + "patch-package": "^6.4.7", + "postinstall-postinstall": "^2.1.0", "react-test-renderer": "18.1.0" } } From 13a008f63b239554b906653eff6a5b0cf5813722 Mon Sep 17 00:00:00 2001 From: saileshwar-skyflow Date: Thu, 4 Jun 2026 23:47:12 +0530 Subject: [PATCH 3/4] SK-2389: remove npmrc --- .npmrc | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 .npmrc diff --git a/.npmrc b/.npmrc deleted file mode 100644 index 90e08a1..0000000 --- a/.npmrc +++ /dev/null @@ -1,3 +0,0 @@ -# ignore-scripts not set globally — example/package.json uses postinstall=patch-package -# for required dependency patches, and react-native may use native postinstall scripts. -# Apply --ignore-scripts selectively per CI workflow step instead (see .github/workflows/). From 90b084a170219181f860116b4c4bb07a0816136f Mon Sep 17 00:00:00 2001 From: saileshwar-skyflow Date: Thu, 4 Jun 2026 23:54:41 +0530 Subject: [PATCH 4/4] SK-2839: remove comments --- .github/workflows/CI.yml | 3 --- .github/workflows/beta-release.yml | 3 --- .github/workflows/internal-release.yml | 3 --- .github/workflows/main.yml | 3 --- .github/workflows/release.yml | 3 --- 5 files changed, 15 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 4891c4d..2e4d799 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -29,9 +29,6 @@ jobs: node-version: 14.21.3 - name: install node_modules - # --ignore-scripts: guard against supply-chain postinstall execution. - # example/postinstall (patch-package) is not triggered here (root install only). - # react-native native postinstall not required — CI runs JS tests/build only. run: npm install --ignore-scripts - name: Run spellcheck diff --git a/.github/workflows/beta-release.yml b/.github/workflows/beta-release.yml index 3108d21..000ec89 100644 --- a/.github/workflows/beta-release.yml +++ b/.github/workflows/beta-release.yml @@ -19,9 +19,6 @@ jobs: with: node-version: 14.21.3 registry-url: 'https://registry.npmjs.org' - # --ignore-scripts: guard against supply-chain postinstall execution. - # example/postinstall (patch-package) is not triggered here (root install only). - # react-native native postinstall not required — CI runs JS tests/build only. - run: npm install --ignore-scripts - name: Build diff --git a/.github/workflows/internal-release.yml b/.github/workflows/internal-release.yml index a7723d8..56bd221 100644 --- a/.github/workflows/internal-release.yml +++ b/.github/workflows/internal-release.yml @@ -24,9 +24,6 @@ jobs: with: node-version: 14.21.3 - # --ignore-scripts: guard against supply-chain postinstall execution. - # example/postinstall (patch-package) is not triggered here (root install only). - # react-native native postinstall not required — CI runs JS tests/build only. - run: npm install --ignore-scripts - name: Get Previous tag diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 08a7d43..761daab 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,9 +15,6 @@ jobs: node-version: 14.21.3 - name: install node_modules - # --ignore-scripts: guard against supply-chain postinstall execution. - # example/postinstall (patch-package) is not triggered here (root install only). - # react-native native postinstall not required — CI runs JS tests/build only. run: npm install --ignore-scripts - name: Run tests diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3f72715..d2ff45f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,9 +23,6 @@ jobs: - name: install modules - # --ignore-scripts: guard against supply-chain postinstall execution. - # example/postinstall (patch-package) is not triggered here (root install only). - # react-native native postinstall not required — CI runs JS tests/build only. run: npm install --ignore-scripts - name: Get Previous tag