From 5b93ed16495c7fc6ffd8d7184c3fd5743768c031 Mon Sep 17 00:00:00 2001
From: Vitaly Chikunov <vt@altlinux.org>
Date: Tue, 25 Nov 2025 00:16:29 +0300
Subject: [PATCH] spec: Use safe-chain to run npm ci

Safe Chain provides extra checks before installing new packages.
Also, ignore lifecycle scripts.

Link: https://github.com/AikidoSec/safe-chain
Link: https://github.com/bodadotsh/npm-security-best-practices
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 .gear/generate | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.gear/generate b/.gear/generate
index 46687d1e6..e560b1254 100755
--- a/.gear/generate
+++ b/.gear/generate
@@ -12,12 +12,19 @@ f=tools/server/public/index.html.gz
 printf '%s\n\n' "ALT: Re-generate $f" > .git/NPM_I.log
 share_network=1 \
 hsh-run --mountpoints=/proc -- bash -e <<-EOF |& tee -a .git/NPM_I.log
-    cd /usr/src/build
     set -x
+    mkdir ~/.npm-global
+    npm config set prefix ~/.npm-global
+    npm install -g @aikidosec/safe-chain
+    PATH=~/.npm-global/bin:\$PATH
+
+    cd /usr/src/build
+    rm $f
     cd tools/server/webui
-    npm i
-    npm audit --audit-level=critical fix
+    aikido-npm ci --ignore-scripts
+    aikido-npm audit --audit-level=critical fix
     du -sh node_modules
+
     npm run build
 EOF
 hsh-run -- base64 "/usr/src/build/$f" | base64 -d > "$f"