Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

node_cache: Run yarn with --ignore-scripts. 

As predicted in https://www.kb.cert.org/vuls/id/319816/, a malicious
worm is beginning to spread across the npm ecosystem through package
postinstall scripts.  Only instead of direct self-replicating code,
the replication vector is the temptation to monetize postinstall
scripts by polluting the console logs with paid advertisements.  The
effect will be the same unless we all put a stop to this while we
still can.

Apply the recommended VU#319816 workaround, which is to disable
lifecycle scripts when installing npm packages.  The only fallout is:

* node-sass can’t run because it uses compiled native code; we replace
  it with Dart Sass.
* phantomjs-prebuilt doesn’t download the binary at install time; we
  tell it to download it in run-casper.
* ttf2woff2 transparently falls back from native code to an Emscripten
  build.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg 2019-08-24 12:17:07 -07:00 committed by Tim Abbott
parent 37ece9b8e2
commit 43c8c720ef
3 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
frontend_tests/run-casper
View File

@ -65,6 +65,8 @@ assert_provisioning_status_ok(options.force)
os.chdir(ZULIP_PATH)
subprocess.check_call(['node', 'node_modules/phantomjs-prebuilt/install.js'])
os.makedirs('var/casper', exist_ok=True)
for f in glob.glob('var/casper/casper-failure*.png'):

2
scripts/lib/node_cache.py
View File

@ -86,7 +86,7 @@ def do_yarn_install(target_path, yarn_args, success_stamp, stdout=None, stderr=N
if os.environ.get('CUSTOM_CA_CERTIFICATES'):
run([YARN_BIN, "config", "set", "cafile", os.environ['CUSTOM_CA_CERTIFICATES']],
stdout=stdout, stderr=stderr)
run([YARN_BIN, "install", "--non-interactive", "--frozen-lockfile"] + yarn_args,
run([YARN_BIN, "install", "--non-interactive", "--frozen-lockfile", "--ignore-scripts"] + yarn_args,
cwd=target_path, stdout=stdout, stderr=stderr)
with open(success_stamp, 'w'):
pass

2
version.py
View File

@ -26,4 +26,4 @@ LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.org/2019/03/01/zulip-2-0-relea
# historical commits sharing the same major version, in which case a
# minor version bump suffices.
PROVISION_VERSION = '50.0'
PROVISION_VERSION = '51.0'