Skip to content

fix(javascript-npm-packages): harden npm publish on the token bootstrap path#20

Merged
ob-aion merged 1 commit into
mainfrom
fix/npm-publish-ignore-scripts
May 20, 2026
Merged

fix(javascript-npm-packages): harden npm publish on the token bootstrap path#20
ob-aion merged 1 commit into
mainfrom
fix/npm-publish-ignore-scripts

Conversation

@ob-aion
Copy link
Copy Markdown
Contributor

@ob-aion ob-aion commented May 20, 2026

Summary

Pass --ignore-scripts --access public to npm publish on the token bootstrap path. Defense in depth against postinstall-worm supply-chain attacks (Shai-Hulud-class).

  • Install-time scripts are already disabled by pnpm install --frozen-lockfile --ignore-scripts in javascript/base--ignore-scripts on publish adds belt-and-suspenders by skipping prepack / postpack / publish / postpublish while the long-lived bootstrap token is in env.
  • prepublishOnly still runs — known npm publish behavior, the flag does not cover it. Accepted: it invokes our own gates which already ran in the base action against the frozen lockfile.
  • --access public is explicit even though consumer publishConfig.access is set.
  • OIDC branch (pnpm publish --provenance --no-git-checks) is unchanged.
  • Long term: OIDC + Trusted Publisher for 1.0.1+ eliminates the long-lived token entirely.

Test plan

  • After merge: roll v0 to this commit.
  • On coroboros/uri: re-tag 1.0.0, re-push. Token branch runs npm publish --ignore-scripts --access public and succeeds (token regenerated with @coroboros/* scope-create permission).
  • OIDC branch unchanged: on a package whose ci.yml does not forward NPM_PACKAGE_REGISTRY_TOKEN, pnpm publish --provenance --no-git-checks runs via corepack-pinned pnpm 11.x and emits provenance.

@ob-aion
fix(javascript-npm-packages): harden npm publish on the token bootstr…
a55b41a 
…ap path

Pass --ignore-scripts --access public to npm publish. Defense in
depth against postinstall-worm supply-chain attacks: install-time
scripts are already skipped by pnpm install --frozen-lockfile
--ignore-scripts in javascript/base; the publish flag now also
skips prepack / postpack / publish / postpublish while the
long-lived bootstrap token is in env. prepublishOnly still runs
(known npm publish behavior), but it invokes our own gates from
the frozen lockfile that already ran in the base action.

The bootstrap token's exposure narrows to one publish — switch to
OIDC + provenance via Trusted Publisher for 1.0.1+ to eliminate
the long-lived token entirely.

Bumps 0.1.10 to 0.1.11 and prepends the changelog entry.
@ob-aion ob-aion mentioned this pull request May 20, 2026
Closed
3 tasks
@ob-aion ob-aion merged commit f9cfa5d into main May 20, 2026
6 checks passed
@ob-aion ob-aion deleted the fix/npm-publish-ignore-scripts branch May 20, 2026 07:28
@ob-aion ob-aion mentioned this pull request May 20, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ob-aion