spec: Use safe-chain to run npm ci
Safe Chain provides extra checks before installing new packages. Also, ignore lifecycle scripts. Link: https://github.com/AikidoSec/safe-chain Link: https://github.com/bodadotsh/npm-security-best-practices Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
This commit is contained in:
Vitaly Chikunov
parent
bbb4f595fe
commit
5b93ed1649
1 changed files with 10 additions and 3 deletions
|
|
@ -12,12 +12,19 @@ f=tools/server/public/index.html.gz
|
|||
printf '%s\n\n' "ALT: Re-generate $f" > .git/NPM_I.log
|
||||
share_network=1 \
|
||||
hsh-run --mountpoints=/proc -- bash -e <<-EOF |& tee -a .git/NPM_I.log
|
||||
cd /usr/src/build
|
||||
set -x
|
||||
mkdir ~/.npm-global
|
||||
npm config set prefix ~/.npm-global
|
||||
npm install -g @aikidosec/safe-chain
|
||||
PATH=~/.npm-global/bin:\$PATH
|
||||
|
||||
cd /usr/src/build
|
||||
rm $f
|
||||
cd tools/server/webui
|
||||
npm i
|
||||
npm audit --audit-level=critical fix
|
||||
aikido-npm ci --ignore-scripts
|
||||
aikido-npm audit --audit-level=critical fix
|
||||
du -sh node_modules
|
||||
|
||||
npm run build
|
||||
EOF
|
||||
hsh-run -- base64 "/usr/src/build/$f" | base64 -d > "$f"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue