Skip to content

security: create .npmrc#745

Merged
sonukapoor merged 3 commits into
OWASP:mainfrom
pfarikrispy:main
Jun 22, 2026
Merged

security: create .npmrc#745
sonukapoor merged 3 commits into
OWASP:mainfrom
pfarikrispy:main

Conversation

@pfarikrispy

@pfarikrispy pfarikrispy commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

define npmrc with basic security policies to harden npm

Why this change

for best security, it is advised to disallow postinstall scripts, but this security scanner requires better-sqlite3 and for compatibility reasons, it needs to be able to build the library

What changed

  • create .npmrc
  • disallow git installs
  • define min-release-age of 5 days (can be adjusted as needed)

Validation

N/A

See #710

User-facing impact

Does this change:

  • affect scanning behavior
  • affect output formatting
  • affect JSON output
  • affect docs only

Notes

Personally, I would start using/relying on pnpm package manager as it allows for a global deny of scripts and individual, named overrides, such as better-sqlite3 in this case. That makes it explicit and versionable. (As is recommened in the GitHub npm-security-best-practices repo.)

pnpm-workspace.yaml:

# npm security best practices
# Source: https://github.com/lirantal/npm-security-best-practices

# SECURITY: block packages newer than 5 days (7200 minutes)
minimumReleaseAge: 7200

# SECURITY: reject a version whose publishing trust signals regressed
trustPolicy: no-downgrade

# SECURITY: keep strict overrides only when necessary and vetted
# trustPolicyExclude:
#   - 'chokidar@4.0.3'
#   - 'webpack@4.47.0 || 5.102.1'

# SECURITY: pnpm blocks install scripts by default, enabled explicitly for:
allowBuilds:
  better-sqlite3: true

# SECURITY: fail the install if a dependency wants to run 
# a build script that isn't in the allow-list above
strictDepBuilds: true

# SECURITY: reject dependencies sourced from git URLs
blockExoticSubdeps: true

@pfarikrispy
security: create .npmrc
bec9f2d 
define npmrc with basic security policies to harden npm
sonukapoor
sonukapoor requested changes Jun 22, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good intent and the allow-git=none direction looks right. Two things need fixing before this is safe to ship.

Comment thread .npmrc Outdated
Comment thread .npmrc Outdated
pfarikrispy and others added 2 commits June 22, 2026 18:22
@pfarikrispy
security(fix): Update .npmrc
c398a31 
Cleanup comment for ignore-scripts
comment out min-release-age, not supported yet
@sonukapoor
Merge branch 'main' into main
afcf676
sonukapoor
sonukapoor approved these changes Jun 22, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both issues from the first review are addressed - the ignore-scripts comment is clear and honest, and allow-git=none is the right value (it is a valid enum, not a boolean). The min-release-age note as a pnpm migration hint makes sense. Good contribution.

@sonukapoor sonukapoor merged commit 8b1258a into OWASP:main Jun 22, 2026
6 checks passed
@sonukapoor

sonukapoor commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

Merged - thank you @pfarikrispy!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor sonukapoor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pfarikrispy @sonukapoor