7Bitrot/gatsby-ignore-scripts-test

# NPM ignore-scripts testing with Gatsby This project uses a basic template following the [Gatsby Quick Start Guide](https://www.gatsbyjs.com/docs/quick-start/). ## Purpose This project is intended for testing OWASP NPM Security best practices to [minimize attack surface by ignoring run-scripts](https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html#3-minimize-attack-surfaces-by-ignoring-run-scripts) in Gatsby, and as an example for this [discussion](https://github.com/gatsbyjs/gatsby/discussions/39579) on the Gatsby board. ## Instructions for testing npm i -g @lavamoat/allow-scripts allow-scripts setup allow-scripts auto npm pkg set scripts.setup='npm ci && allow-scripts' At this point, you should see a configuration similar to the following in your `package.json` file. Note that the exact `lavamoat.allowScripts` entries depend on your installed package versions and plugin set: { "lavamoat": { "allowScripts": { "@lavamoat/preinstall-always-fail#3.0.0": false, "gatsby#5.16.1": false, "gatsby-plugin-sharp>sharp#0.32.6": false, "gatsby>@parcel/cache>lmdb#2.5.2": false, "gatsby>@pmmmwh/react-refresh-webpack-plugin>core-js-pure#3.24.1": false, "gatsby>core-js#3.48.0": false, "gatsby>gatsby-cli#5.16.0": false, "gatsby>lmdb#2.5.3": false, "gatsby>lmdb>msgpackr>msgpackr-extract#3.0.3": false, "gatsby>memoizee>es5-ext#0.10.64": false, "sass>@parcel/watcher#2.5.6": false } } } ERROR UNKNOWN Error in "/path/to/your/project/node_modules/gatsby-plugin-sharp/gatsby-node": Something went wrong installing the "sharp" module The error shows that `sharp` must be allowed to run scripts in order to install correctly, so we tell `allow-scripts` to do so: { "lavamoat": { "allowScripts": { ... - "gatsby-plugin-sharp>sharp#0.32.6": false, + "gatsby-plugin-sharp>sharp#0.32.6": true, ... } } } Then run the allowed scripts: `npm run setup` Finally, if you run the project again it should work normally. ## Additional testing This is where users can get confused: - How do you know which post-install scripts can be safely ignored? - Which ones should be allowed to ensure Gatsby runs properly? This is when `can-i-ignore-scripts` comes in handy. Run `npx can-i-ignore-scripts` again and accept the suggestions when prompted. { "lavamoat": { "allowScripts": { "@lavamoat/preinstall-always-fail#3.0.0": false, "gatsby#5.16.1": false, "gatsby-plugin-sharp>sharp#0.32.6": false, "gatsby>@parcel/cache>lmdb#2.5.2": false, "gatsby>@pmmmwh/react-refresh-webpack-plugin>core-js-pure#3.24.1": false, "gatsby>core-js#3.48.0": false, "gatsby>gatsby-cli#5.16.0": false, "gatsby>lmdb#2.5.3": false, "gatsby>lmdb>msgpackr>msgpackr-extract#3.0.3": false, "gatsby>memoizee>es5-ext#0.10.64": false, "sass>@parcel/watcher#2.5.6": false, + "lmdb": true, + "@parcel/watcher": true, + "msgpackr-extract": true, + "sharp": true } } } As `@lavamoat/allow-scripts` needs exact versions to work properly, you'll need to make a change manually in the allow list: { "lavamoat": { "allowScripts": { "@lavamoat/preinstall-always-fail#3.0.0": false, "gatsby#5.16.1": false, + "gatsby-plugin-sharp>sharp#0.32.6": true, + "gatsby>@parcel/cache>lmdb#2.5.2": true, "gatsby>@pmmmwh/react-refresh-webpack-plugin>core-js-pure#3.24.1": false, "gatsby>core-js#3.48.0": false, "gatsby>gatsby-cli#5.16.0": false, + "gatsby>lmdb#2.5.3": true, + "gatsby>lmdb>msgpackr>msgpackr-extract#3.0.3": true, "gatsby>memoizee>es5-ext#0.10.64": false, + "sass>@parcel/watcher#2.5.6": true, - "lmdb": true, - "@parcel/watcher": true, - "msgpackr-extract": true, - "sharp": true } } } After that your build should run _normally_. `can-i-ignore-scripts` will suggest you check other packages: You have 4 packages identified as 'check' that are not yet allowed. es5-ext, gatsby, gatsby-cli, ljharb-monorepo-symlink-test Please review these packages and update your lavamoat allowlist in package.json as needed. `es5-ext` and `ljharb-monorepo-symlink-test` can be ignored. I'm not sure whether `gatsby` and `gatsby-cli` need to be allowed. You can check more about how `@lavamoat/allow-scripts` works [here](https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts#readme).

标签：自定义脚本