Skip to content

[Chore]: Disable all ci postinstall scripts to prevent supply chain attacks using this method #2644

Closed
Task
#2647
Closed
[Chore]: Disable all ci postinstall scripts to prevent supply chain attacks using this method#2644
Task
#2647
Assignees
aramikm
Labels
choreNo feature changesdependenciesPull requests that update a dependency file
@aramikm

Description

@aramikm
aramikm
opened on Nov 24, 2025

Feature Description

Details

Some supply chain attacks are using postinstall scripts in the CI to infect dev machines.

AC

  • make sure we are not depended on any of preinstall, install, postinstall in our packages
  • replace npm install with npm install --ignore-scripts in all github actions and make files or other scripts
  • replace npm ci with npm ci --ignore-scripts in all github actions and make files or other scripts

Searched for Related Issues

  • I have done a search for related issues and either found none, or noted them

Metadata

Metadata

Assignees

Labels

choreNo feature changesdependenciesPull requests that update a dependency file

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions