From a26d704a2e9006085e9baf62f291440eaf857755 Mon Sep 17 00:00:00 2001
From: VariableVince <24507472+VariableVince@users.noreply.github.com>
Date: Wed, 17 Dec 2025 21:38:47 +0100
Subject: [PATCH] Help prevent supply chain attack: add safer install script
 (#2627)

## Description:

For safer installations, clean install (ci) should be used, preferably
with added --ignore-scripts. To make it easier for devs, add a npm
script which can be ran by using "npm run inst". Update readme.

Evan agreed here
https://discord.com/channels/1359946986937258015/1360078040222142564/1432085555126206576

"npm run inst" runs `npm ci --ignore-scripts` which installs
dependencies exactly according to the versions in `package-lock.json`
and doesn't run scripts. This can prevent being hit by a supply chain
attack.

Did not re-use the "install" or "ci" npm lifecycle hook, instead used a
similar but still short script name "inst". We can change this to
something like "safe-install" if needed but i assume "inst" will do.

## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I process any text displayed to the user through translateText()
and I've added it to the en.json file
- [x] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced

## Please put your Discord username so you can be contacted if a bug or
regression is found:

tryout33
---
 README.md    | 4 +++-
 package.json | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9ebab49eb..c6aafda82 100644
--- a/README.md
+++ b/README.md
@@ -57,9 +57,11 @@ For license history, see [LICENSING.md](LICENSING.md).
 2. **Install dependencies**
 
    ```bash
-   npm i
+   npm run inst
    ```
 
+   Do NOT use `npm install` nor `npm i` but instead use our `npm run inst`. It runs the safer `npm ci --ignore-scripts` to install dependencies exactly according to the versions in `package-lock.json` and doesn't run scripts. This can prevent being hit by a supply chain attack.
+
 ## 🎮 Running the Game
 
 ### Development Mode
diff --git a/package.json b/package.json
index 9e93c8b16..a77ec1133 100644
--- a/package.json
+++ b/package.json
@@ -18,7 +18,8 @@
     "lint": "eslint",
     "lint:fix": "eslint --fix",
     "prepare": "husky",
-    "gen-maps": "cd map-generator && go run . && npm run format"
+    "gen-maps": "cd map-generator && go run . && npm run format",
+    "inst": "npm ci --ignore-scripts"
   },
   "lint-staged": {
     "**/*": [