Conversation
Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
mcollina
left a comment
There was a problem hiding this comment.
lgtm
In a lot of repositories we use @fastify/pre-commit to set up the pre-commit script (not sure here). We should ideally white-list that.
Is there a way to whitelist? Only thing I can thing of is running If not, maybe we just need to remove |
The only way I see to enable that is https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts. I'm not so convinced the pre-commit script is worth it any longer. In my view, it was meant to assure a commit is "clean" before it gets suggested as a change in a PR. But a lot of people just clone, edit, and PR. They never even install dependencies and simply rely on CI to do all of the work. Personally, I end up skipping it more often than not with |
See fastify/deepmerge#78 Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
See fastify/deepmerge#78 Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
See fastify/deepmerge#78 Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
See fastify/deepmerge#78. This is a batch PR created by a script. Please review prior to merging. Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
See fastify/deepmerge#78. This is a batch PR created by a script. Please review prior to merging. Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
After the recent supply chain attacks that use install scripts, we should enable this everywhere.
This was already enabled in the main fastify repo as part of fastify/fastify#6108.
If this is approved and merged then I will do a batch of PRs to the rest of the repos.
Checklist
npm run test && npm run benchmark --if-presentand the Code of conduct