feat(@angular-devkit/schematics): disable package script execution by default in NodePackageInstallTask
#23059
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
clydin
force-pushed
the
ng-new/no-postinstalls
branch
from
bd01053 to
1a75404
Compare
clydin
added
the
action: review
dgp1130
approved these changes
Apr 29, 2022
packages/angular_devkit/schematics/tasks/package-manager/install-task.ts
Outdated
Show resolved
Hide resolved
|
@twerske / @MarkTechson - I wonder if this would be worth mentioning the v14 blog post / release announcement as one way we're improving security for Angular applications? |
clydin
removed
the
action: review
clydin
force-pushed
the
ng-new/no-postinstalls
branch
from
1a75404 to
da61a2b
Compare
clydin
added
action: merge
… default in `NodePackageInstallTask` In an effort to improve supply chain security, the `NodePackageInstallTask` will now use the package manager's `--ignore-scripts` option by default. Without the option, all direct and transitive dependencies would have their scripts executed during the task's package manager installation operation. The change only affects the package manager behavior controlled by the Schematics `NodePackageInstallTask`. First-party Angular schematics do not currently require any direct or transitive dependency `install`/`postinstall` scripts to execute. Only two dependencies within a v14.0 new project would potentially be affected by this: `nice-napi` (transitive from `piscina`) and `esbuild`. The `nice-napi` functionality of `piscina` is unused within the Angular CLI with no plans to use it in the future. Even if it was used, the `install` script runs `node-gyp-build` which would only have an effect (based on the current version 1.0.2) on platforms that are not Windows, darwin-x64, or linux-x64. In the event this functionality is eventually used, the Angular CLI could be setup to automatically execute this particular script for unsupported platforms. For `esbuild`, the `postinstall` functionality performs an optional native binary bootstrap optimization but would only be performed if not using Windows or Yarn. As such, it would not be performed for many users regardless of the change in this commit. If noticeable performance regressions on platforms where the optimization was previously performed are reported, the script could also be setup to be automatically run by the Angular CLI during project creation and/or first build. BREAKING CHANGE: Schematics `NodePackageInstallTask` will not execute package scripts by default The `NodePackageInstallTask` will now use the package manager's `--ignore-scripts` option by default. The `--ignore-scripts` option will prevent package scripts from executing automatically during an install. If a schematic installs packages that need their `install`/`postinstall` scripts to be executed, the `NodePackageInstallTask` now contains an `allowScripts` boolean option which can be enabled to provide the previous behavior for that individual task. As with previous behavior, the `allowScripts` option will prevent the individual task's usage of the `--ignore-scripts` option but will not override the package manager's existing configuration.
clydin
force-pushed
the
ng-new/no-postinstalls
branch
from
da61a2b to
3378942
Compare
Added a new E2E test that checks for install scripts within a new project's dependencies and fails if any unexpected packages are detected. |
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In an effort to improve supply chain security, the
NodePackageInstallTaskwill now use the packagemanager's
--ignore-scriptsoption by default. Without the option, all direct and transitivedependencies would have their scripts executed during the task's package manager installation operation.
The change only affects the package manager behavior controlled by the Schematics
NodePackageInstallTask.First-party Angular schematics do not currently require any direct or transitive dependency
install/postinstallscripts to execute. Only two dependencies within a v14.0 new project wouldpotentially be affected by this:
nice-napi(transitive frompiscina) andesbuild. Thenice-napifunctionality of
piscinais unused within the Angular CLI with no plans to use it in the future.Even if it was used, the
installscript runsnode-gyp-buildwhich would only have an effect(based on the current version 1.0.2) on platforms that are not Windows, darwin-x64, or linux-x64.
In the event this functionality is eventually used, the Angular CLI could be setup to automatically execute
this particular script for unsupported platforms. For
esbuild, thepostinstallfunctionalityperforms an optional native binary bootstrap optimization but would only be performed if not
using Windows or Yarn. As such, it would not be performed for many users regardless of the change in
this commit. If noticeable performance regressions on platforms where the optimization was previously
performed are reported, the script could also be setup to be automatically run by the Angular CLI during
project creation and/or first build.
BREAKING CHANGE: Schematics
NodePackageInstallTaskwill not execute package scripts by defaultThe
NodePackageInstallTaskwill now use the package manager's--ignore-scriptsoption by default.The
--ignore-scriptsoption will prevent package scripts from executing automatically during an install.If a schematic installs packages that need their
install/postinstallscripts to be executed, theNodePackageInstallTasknow contains anallowScriptsboolean option which can be enabled to provide theprevious behavior for that individual task. As with previous behavior, the
allowScriptsoption willprevent the individual task's usage of the
--ignore-scriptsoption but will not override the packagemanager's existing configuration.