Merge pull request #1653 from input-output-hk/security/npm-lockdown-2025-09-08

rhyslbw · web-flow · commit ec23c9e5296c · 2025-09-09T15:15:58.000+01:00
Security/npm lockdown 2025 09 08
diff --git a/.github/actions/install/action.yml b/.github/actions/install/action.yml
@@ -0,0 +1,28 @@
+name: 'Install Dependencies'
+description: 'Install dependencies with yarn and run security constraint checks'
+inputs:
+  install-args:
+    description: 'Additional arguments for yarn install'
+    required: false
+    default: '--inline-builds --mode=skip-build'
+  max-old-space-size:
+    description: 'Maximum old space size in MB for Node.js'
+    required: false
+    default: '8192'
+  ignore-scripts:
+    description: 'Whether to ignore npm scripts during install'
+    required: false
+    default: 'false'
+runs:
+  using: 'composite'
+  steps:
+    - name: 🔨 Install
+      shell: bash
+      run: yarn install --immutable ${{ inputs.install-args }}
+      env:
+        NODE_OPTIONS: '--max_old_space_size=${{ inputs.max-old-space-size }}'
+        npm_config_ignore_scripts: ${{ inputs.ignore-scripts }}
+    
+    - name: 🛡️ Security Constraints Check
+      shell: bash
+      run: yarn constraints
diff --git a/.github/workflows/continuous-integration-blockfrost-e2e.yaml b/.github/workflows/continuous-integration-blockfrost-e2e.yaml
@@ -53,16 +53,18 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
         run: |
-          yarn install --immutable --inline-builds --mode=skip-build
           yarn workspace @cardano-sdk/cardano-services-client build:cjs
           yarn workspace @cardano-sdk/cardano-services build:cjs
           yarn workspace @cardano-sdk/e2e build:cjs
           yarn workspace @cardano-sdk/util-dev build:cjs
           docker build --no-cache .
-        env:
-          NODE_OPTIONS: '--max_old_space_size=8192'
 
       - name: 🌐 Setup local test network
         working-directory: packages/e2e
diff --git a/.github/workflows/continuous-integration-e2e.yaml b/.github/workflows/continuous-integration-e2e.yaml
@@ -53,9 +53,13 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
         run: |
-          yarn install --immutable --inline-builds --mode=skip-build
           yarn workspace @cardano-sdk/cardano-services-client build:cjs
           yarn workspace @cardano-sdk/cardano-services build:cjs
           yarn workspace @cardano-sdk/e2e build:cjs
diff --git a/.github/workflows/continuous-integration-side-tests.yaml b/.github/workflows/continuous-integration-side-tests.yaml
@@ -25,10 +25,13 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn build
+        run: yarn build
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
 
diff --git a/.github/workflows/continuous-integration-unit-tests.yaml b/.github/workflows/continuous-integration-unit-tests.yaml
@@ -25,10 +25,13 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn build
+        run: yarn build
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
 
diff --git a/.github/workflows/k6-wallets.yaml b/.github/workflows/k6-wallets.yaml
@@ -67,10 +67,13 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18.12.0
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn workspace @cardano-sdk/util-dev build:cjs
+        run: yarn workspace @cardano-sdk/util-dev build:cjs
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
       - name: Run k6 cloud test
diff --git a/.github/workflows/k6-web-socket.yaml b/.github/workflows/k6-web-socket.yaml
@@ -59,10 +59,13 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18.12.0
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn workspace @cardano-sdk/util-dev build:cjs
+        run: yarn workspace @cardano-sdk/util-dev build:cjs
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
       - name: Run k6 cloud test
diff --git a/.github/workflows/post_integration.yml b/.github/workflows/post_integration.yml
@@ -17,11 +17,14 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          max-old-space-size: '10240'
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build Docs
-        env:
-          NODE_OPTIONS: '--max-old-space-size=10240'
         run: |
-          yarn install --immutable --inline-builds
           yarn build
           yarn docs
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -34,8 +34,9 @@ jobs:
           git_commit_gpgsign: true
 
       - name: 💽 Install dependencies
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
         env:
           YARN_ENABLE_IMMUTABLE_INSTALLS: false
 
diff --git a/.github/workflows/test-deploy-e2e.yaml b/.github/workflows/test-deploy-e2e.yaml
@@ -65,13 +65,15 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          ignore-scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+
       - name: 🔨 Build
         run: |
-          yarn install --immutable --inline-builds --mode=skip-build
           yarn build:cjs
           docker build --no-cache .
-        env:
-          NODE_OPTIONS: '--max_old_space_size=8192'
 
       - name: 🔬 Test - e2e - wallet
         env:
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@ lerna-debug.log
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
+!.yarn/constraints.pro
 
 # created by nix
 result
diff --git a/.yarn/constraints.pro b/.yarn/constraints.pro
@@ -0,0 +1,19 @@
+gen_enforced_dependency ForbidMaliciousReleases:
+  backslash "!=0.2.1"
+  chalk-template "!=1.1.1"
+  supports-hyperlinks "!=4.1.1"
+  has-ansi "!=6.0.1"
+  simple-swizzle "!=0.2.3"
+  color-string "!=2.1.1"
+  error-ex "!=1.3.3"
+  color-name "!=2.0.1"
+  is-arrayish "!=0.3.3"
+  slice-ansi "!=7.1.1"
+  color-convert "!=3.1.1"
+  wrap-ansi "!=9.0.1"
+  ansi-regex "!=6.2.1"
+  supports-color "!=10.2.1"
+  strip-ansi "!=7.1.1"
+  chalk "!=5.6.1"
+  debug "!=4.4.2"
+  ansi-styles "!=6.2.2"
diff --git a/.yarn/plugins/@yarnpkg/plugin-constraints.cjs b/.yarn/plugins/@yarnpkg/plugin-constraints.cjs
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -11,5 +11,7 @@ plugins:
     spec: "@yarnpkg/plugin-workspace-tools"
   - path: .yarn/plugins/yarn-plugin-nixify.cjs
     spec: "https://raw.githubusercontent.com/stephank/yarn-plugin-nixify/main/dist/yarn-plugin-nixify.js"
+  - path: .yarn/plugins/@yarnpkg/plugin-constraints.cjs
+    spec: "@yarnpkg/plugin-constraints"
 
 yarnPath: .yarn/releases/yarn-3.2.1.cjs
diff --git a/package.json b/package.json
@@ -93,5 +93,26 @@
     "typedoc-plugin-missing-exports": "^1.0.0",
     "typescript": "^4.7.4"
   },
-  "packageManager": "yarn@3.2.1"
+  "packageManager": "yarn@3.2.1",
+  "resolutions": {
+    "color": "4.2.3",
+    "color-string": "1.9.1",
+    "color-convert": "2.0.1",
+    "color-name": "1.1.4",
+    "chalk": "4.1.2",
+    "chalk-template": "1.1.0",
+    "wrap-ansi": "7.0.0",
+    "slice-ansi": "7.1.0",
+    "strip-ansi": "6.0.1",
+    "ansi-styles": "4.3.0",
+    "ansi-regex": "5.0.1",
+    "supports-color": "7.2.0",
+    "supports-hyperlinks": "3.0.0",
+    "debug": "4.3.4",
+    "is-arrayish": "0.3.2",
+    "simple-swizzle": "0.2.2",
+    "error-ex": "1.3.2",
+    "has-ansi": "5.0.1",
+    "backslash": "0.2.0"
+  }
 }
diff --git a/yarn-project.nix b/yarn-project.nix
diff --git a/yarn.lock b/yarn.lock
