Security/npm lockdown 2025 09 08#1653
Merged
Merged
Conversation
45c2720 to
e5a6f05
Compare
Create install action and update all workflows: ✅ Created .github/actions/install/action.yml - Centralized yarn install with security flags - Configurable install args and memory settings - Clean max-old-space-size input (MB only) - Mandatory yarn constraints verification - GitHub variable support via ignore-scripts input ✅ Updated 9 workflows to use centralized action: - continuous-integration-unit-tests.yaml - continuous-integration-e2e.yaml - continuous-integration-side-tests.yaml - continuous-integration-blockfrost-e2e.yaml - test-deploy-e2e.yaml - k6-web-socket.yaml - k6-wallets.yaml - release.yaml - post_integration.yml ✅ Added Yarn constraints infrastructure - Installed @yarnpkg/plugin-constraints - Configured in .yarnrc.yml - Created empty .yarn/constraints.pro for rules - Updated .gitignore to track constraints.pro - All workflows map vars.DISABLE_NPM_SCRIPTS to action 🎯 Benefits: - Single source of truth for install logic - Easy to add constraint checks later - Consistent security posture across all workflows - Reduced duplication and maintenance burden - Foundation ready for security policy enforcement
e5a6f05 to
ceddb03
Compare
mkazlauskas
previously approved these changes
Sep 9, 2025
…-09-08) Add security measures to prevent malicious package versions: ✅ Added Yarn constraints blocklist (.yarn/constraints.pro) - Blocks 19 malicious versions of compromised packages - Prevents installation of known bad releases - Covers color, chalk, and related dependency chains ✅ Pinned exact safe versions via resolutions (package.json) - color: 4.2.3 (last known good) - color-string: 1.9.1 (last known good) - color-convert: 2.0.1 (last known good) - color-name: 1.1.4 (last known good) - chalk: 4.1.2 (last known good) - Plus 13 additional related packages ✅ Updated Yarn configuration - Added constraints plugin - Configured for security enforcement - Updated lockfile with safe versions 🎯 Security Benefits: - Prevents qix hack - Blocks malicious postinstall scripts - Ensures reproducible, secure builds - Centralized security policy enforcement
3d922c7 to
b7f44ec
Compare
mkazlauskas
approved these changes
Sep 9, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛡️ Security: Block Compromised NPM Releases & Centralize Package Installation
Summary
This PR centralizes package installation across GitHub workflows and adds security measures to prevent malicious package versions sneaking in.
ℹ️ There are currently no known vulnerabilities in the dependency tree, but this is a proactive measure to guard against yesterday's supply chain attack.
Changes
1. Centralize Package Installation and Hardening
.github/actions/install/action.ymlfor centralized dependency installationDISABLE_NPM_SCRIPTS2. Security Measures
.yarn/constraints.profor 19 malicious package versionsresolutionsinpackage.json:color: 4.2.3,color-string: 1.9.1,color-convert: 2.0.1color-name: 1.1.4,chalk: 4.1.2, plus 13 related packagesBenefits