alois/OpenFrontIO
1
0
Fork 0
mirror of https://github.com/openfrontio/OpenFrontIO.git synced 2026-06-21 12:20:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Help prevent supply chain attack: add safer install script (#2627)

Browse Source 
## Description:

For safer installations, clean install (ci) should be used, preferably
with added --ignore-scripts. To make it easier for devs, add a npm
script which can be ran by using "npm run inst". Update readme.

Evan agreed here
https://discord.com/channels/1359946986937258015/1360078040222142564/1432085555126206576

"npm run inst" runs `npm ci --ignore-scripts` which installs
dependencies exactly according to the versions in `package-lock.json`
and doesn't run scripts. This can prevent being hit by a supply chain
attack.

Did not re-use the "install" or "ci" npm lifecycle hook, instead used a
similar but still short script name "inst". We can change this to
something like "safe-install" if needed but i assume "inst" will do.

## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I process any text displayed to the user through translateText()
and I've added it to the en.json file
- [x] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced

## Please put your Discord username so you can be contacted if a bug or
regression is found:

tryout33
This commit is contained in:
VariableVince
2025-12-17 21:38:47 +01:00
committed by GitHub
parent 2a294d93df
commit a26d704a2e
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+3 -1
View File
@@ -57,9 +57,11 @@ For license history, see [LICENSING.md](LICENSING.md).
2. **Install dependencies**
```bash
npm i
npm run inst
```
Do NOT use `npm install` nor `npm i` but instead use our `npm run inst`. It runs the safer `npm ci --ignore-scripts` to install dependencies exactly according to the versions in `package-lock.json` and doesn't run scripts. This can prevent being hit by a supply chain attack.
## 🎮 Running the Game
### Development Mode
package.json
+2 -1
View File
@@ -18,7 +18,8 @@
"lint": "eslint",
"lint:fix": "eslint --fix",
"prepare": "husky",
"gen-maps": "cd map-generator && go run . && npm run format"
"gen-maps": "cd map-generator && go run . && npm run format",
"inst": "npm ci --ignore-scripts"
},
"lint-staged": {
"**/*": [