Skip to content

security: harden npm install against supply chain attacks#513

Merged
yeelali14 merged 1 commit intodevelopfrom
npm-no-cache
Apr 4, 2026
Merged

security: harden npm install against supply chain attacks#513
yeelali14 merged 1 commit intodevelopfrom
npm-no-cache

Conversation

@yeelali14
Copy link
Copy Markdown
Contributor

@yeelali14 yeelali14 commented Apr 4, 2026
edited by linearb bot
Loading

✨ PR Description

Purpose: Harden npm package installation process against supply chain attacks by disabling script execution and clearing cached packages before dependency installation.

Main changes:

  • Added npm cache clean step before dependency installation to prevent using potentially compromised cached packages
  • Replaced --silent flag with --ignore-scripts flag to prevent execution of pre/post-install scripts from dependencies
  • Reordered workflow steps to ensure cache clearing occurs before package installation for maximum security

Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Description using Guidelines Learn how

orca-security-us[bot]
orca-security-us bot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

@orca-security-us orca-security-us bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed OSS Licenses high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@linearb linearb bot added the 1 min review label Apr 4, 2026
@yeelali14 yeelali14 added the auto-deploy when exists in PR, will auto make release and auto deploy to prod label Apr 4, 2026
linearb[bot]
linearb bot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

@linearb linearb bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✨ PR Review

Agentic review
npm install supply chain hardening looks solid with a nit on cache strategy—forcing a full re-download on every CI run creates unnecessary overhead, though this is minor polish and doesn't block the security gains.

1 issues detected:

🔒 Security - Unnecessary Cache Clearing Degrades CI Performance

Details: The npm cache clean --force step at lines 120–122 unnecessarily clears the npm cache on every CI run without providing additional security benefit — the --ignore-scripts flag already prevents lifecycle script execution, and npm's integrity verification applies to both cached and downloaded packages. This degrades CI performance by forcing re-downloads on self-hosted runners and is pure overhead. Remove this step.
File: action.yml (120-122)

Generated by LinearB AI and added by gitStream.
AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how

@yeelali14 yeelali14 merged commit 22cbb9f into develop Apr 4, 2026
13 checks passed
@yeelali14 yeelali14 deleted the npm-no-cache branch April 4, 2026 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orca-security-us orca-security-us[bot] orca-security-us[bot] left review comments

@linearb linearb[bot] linearb[bot] left review comments

@EladKohavi EladKohavi EladKohavi approved these changes

Assignees

No one assigned

Labels

1 min review auto-deploy when exists in PR, will auto make release and auto deploy to prod

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yeelali14 @EladKohavi