mirror of https://github.com/zulip/zulip.git
node_cache: Run yarn with --ignore-scripts.
As predicted in https://www.kb.cert.org/vuls/id/319816/, a malicious worm is beginning to spread across the npm ecosystem through package postinstall scripts. Only instead of direct self-replicating code, the replication vector is the temptation to monetize postinstall scripts by polluting the console logs with paid advertisements. The effect will be the same unless we all put a stop to this while we still can. Apply the recommended VU#319816 workaround, which is to disable lifecycle scripts when installing npm packages. The only fallout is: * node-sass can’t run because it uses compiled native code; we replace it with Dart Sass. * phantomjs-prebuilt doesn’t download the binary at install time; we tell it to download it in run-casper. * ttf2woff2 transparently falls back from native code to an Emscripten build. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
parent
37ece9b8e2
commit
43c8c720ef
|
@ -65,6 +65,8 @@ assert_provisioning_status_ok(options.force)
|
||||||
|
|
||||||
os.chdir(ZULIP_PATH)
|
os.chdir(ZULIP_PATH)
|
||||||
|
|
||||||
|
subprocess.check_call(['node', 'node_modules/phantomjs-prebuilt/install.js'])
|
||||||
|
|
||||||
os.makedirs('var/casper', exist_ok=True)
|
os.makedirs('var/casper', exist_ok=True)
|
||||||
|
|
||||||
for f in glob.glob('var/casper/casper-failure*.png'):
|
for f in glob.glob('var/casper/casper-failure*.png'):
|
||||||
|
|
|
@ -86,7 +86,7 @@ def do_yarn_install(target_path, yarn_args, success_stamp, stdout=None, stderr=N
|
||||||
if os.environ.get('CUSTOM_CA_CERTIFICATES'):
|
if os.environ.get('CUSTOM_CA_CERTIFICATES'):
|
||||||
run([YARN_BIN, "config", "set", "cafile", os.environ['CUSTOM_CA_CERTIFICATES']],
|
run([YARN_BIN, "config", "set", "cafile", os.environ['CUSTOM_CA_CERTIFICATES']],
|
||||||
stdout=stdout, stderr=stderr)
|
stdout=stdout, stderr=stderr)
|
||||||
run([YARN_BIN, "install", "--non-interactive", "--frozen-lockfile"] + yarn_args,
|
run([YARN_BIN, "install", "--non-interactive", "--frozen-lockfile", "--ignore-scripts"] + yarn_args,
|
||||||
cwd=target_path, stdout=stdout, stderr=stderr)
|
cwd=target_path, stdout=stdout, stderr=stderr)
|
||||||
with open(success_stamp, 'w'):
|
with open(success_stamp, 'w'):
|
||||||
pass
|
pass
|
||||||
|
|
|
@ -26,4 +26,4 @@ LATEST_RELEASE_ANNOUNCEMENT = "https://blog.zulip.org/2019/03/01/zulip-2-0-relea
|
||||||
# historical commits sharing the same major version, in which case a
|
# historical commits sharing the same major version, in which case a
|
||||||
# minor version bump suffices.
|
# minor version bump suffices.
|
||||||
|
|
||||||
PROVISION_VERSION = '50.0'
|
PROVISION_VERSION = '51.0'
|
||||||
|
|
Loading…
Reference in New Issue