GitHub/outline
1
0
Fork 0
mirror of https://github.com/outline/outline.git synced 2026-06-13 03:14:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

chore: Improve setup against supply chain attacks (#12170)

Browse Source 
* Add npm audit CI
Remove postinstall
Disable postinstall scripts
Increase age gate to 3d

* audit cleanup

* Gate on dep changes
This commit is contained in:
Tom Moor
2026-04-26 21:23:26 -04:00
committed by GitHub
parent 7ed41eadc6
commit 3f07771a7e
4 changed files with 67 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+24
View File
@@ -75,12 +75,32 @@ jobs:
key: ${{ runner.os }}-node-modules-24.x-${{ hashFiles('yarn.lock') }}
- run: yarn tsc
audit:
needs: [setup, changes]
if: ${{ needs.changes.outputs.deps == 'true' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- name: Enable Corepack
run: corepack enable
- uses: actions/setup-node@v5
with:
node-version: 24.x
cache: "yarn"
- name: Restore node_modules
uses: actions/cache@v4
with:
path: node_modules
key: ${{ runner.os }}-node-modules-24.x-${{ hashFiles('yarn.lock') }}
- run: yarn npm audit --severity high --recursive --environment production
changes:
runs-on: ubuntu-latest
outputs:
config: ${{ steps.filter.outputs.config }}
server: ${{ steps.filter.outputs.server }}
app: ${{ steps.filter.outputs.app }}
deps: ${{ steps.filter.outputs.deps }}
steps:
- uses: actions/checkout@v5
- uses: dorny/paths-filter@v2
@@ -100,6 +120,10 @@ jobs:
- 'shared/**'
- 'package.json'
- 'yarn.lock'
deps:
- 'package.json'
- 'yarn.lock'
- '.yarnrc.yml'
test:
needs: [setup, changes]
.yarnrc.yml
+21 -1
View File
@@ -1,6 +1,26 @@
nodeLinker: node-modules
npmMinimalAgeGate: 1440
enableScripts: false
npmMinimalAgeGate: 4320
npmPreapprovedPackages:
- outline-icons
# Build-time advisories that don't affect runtime request handling.
# Re-evaluate when bumping the relevant dev/build dep.
npmAuditIgnoreAdvisories:
- "1113517" # GHSA-mw96-cpmx-2vgc rollup <2.80.0 path traversal (workbox-build, build-time)
- "1113686" # GHSA-5c6j-r48x-rmvq serialize-javascript RCE (@rollup/plugin-terser, build-time)
- "1113459" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113461" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113465" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113538" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113540" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113544" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113546" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113548" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1113552" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
- "1115552" # GHSA-c2c7-rcm5-vvqj picomatch ReDoS (babel-plugin-styled-components, dotenvx CLI)
- "1115554" # GHSA-c2c7-rcm5-vvqj picomatch ReDoS (babel-plugin-styled-components, dotenvx CLI)
- "1115805" # GHSA-r5fr-rjxr-66jc lodash-es _.template injection (mermaid; not exposed to user-controlled template keys)
package.json
+5 -3
View File
@@ -365,7 +365,6 @@
"nodemon": "^3.1.14",
"oxlint": "1.11.2",
"oxlint-tsgolint": "^0.1.6",
"postinstall-postinstall": "^2.1.0",
"prettier": "^3.6.2",
"react-refresh": "^0.18.0",
"rimraf": "^2.5.4",
@@ -388,9 +387,12 @@
"cheerio": "1.0.0-rc.12",
"zod": "^4.2.1",
"socket.io-parser": "4.2.6",
"@xmldom/xmldom": "0.8.12",
"@xmldom/xmldom": "^0.8.13",
"fast-xml-parser": "5.5.7",
"@types/markdown-it": "14.1.1"
"@types/markdown-it": "14.1.1",
"underscore": "^1.13.8",
"tar": "^7.5.13",
"@hono/node-server": "^1.19.10"
},
"version": "1.7.0",
"packageManager": "yarn@4.11.0"
yarn.lock
+17 -44
View File
@@ -649,17 +649,7 @@ __metadata:
languageName: node
linkType: hard
"@aws-sdk/types@npm:^3.222.0":
version: 3.973.1
resolution: "@aws-sdk/types@npm:3.973.1"
dependencies:
"@smithy/types": "npm:^4.12.0"
tslib: "npm:^2.6.2"
checksum: 10c0/8a4a183cc39b4d6f4d065ece884b50d397a54b17add32b649f49adbe676174e7bee2c3c94394fc5227a4fccb96c34482291a1eb2702158e1dbb12c441af32863
languageName: node
linkType: hard
"@aws-sdk/types@npm:^3.973.8":
"@aws-sdk/types@npm:^3.222.0, @aws-sdk/types@npm:^3.973.8":
version: 3.973.8
resolution: "@aws-sdk/types@npm:3.973.8"
dependencies:
@@ -3042,12 +3032,12 @@ __metadata:
languageName: node
linkType: hard
"@hono/node-server@npm:^1.19.9":
version: 1.19.9
resolution: "@hono/node-server@npm:1.19.9"
"@hono/node-server@npm:^1.19.10":
version: 1.19.14
resolution: "@hono/node-server@npm:1.19.14"
peerDependencies:
hono: ^4
checksum: 10c0/de18c06b6b266dc45fe55fb82053bd1da8fe84939c49b6fbab4d2448b679d54ab5affbf8b15de9bead26f29b1755284d770aafb5ad14a8e4b3cfb4f79334554e
checksum: 10c0/41a099bb3705d96aac44b7a8db8805f2a22ce8a0f767a27b6d10b74a9964925df01c5f35d3631e882f8bcdeee3518884c30f40588ac8c960d88bf71048ba0df3
languageName: node
linkType: hard
@@ -6601,15 +6591,6 @@ __metadata:
languageName: node
linkType: hard
"@smithy/types@npm:^4.12.0":
version: 4.12.0
resolution: "@smithy/types@npm:4.12.0"
dependencies:
tslib: "npm:^2.6.2"
checksum: 10c0/ac81de3f24b43e52a5089279bced4ff04a853e0bdc80143a234e79f7f40cbd61d85497b08a252265570b4637a3cf265cf85a7a09e5f194937fe30706498640b7
languageName: node
linkType: hard
"@smithy/types@npm:^4.14.1":
version: 4.14.1
resolution: "@smithy/types@npm:4.14.1"
@@ -8473,10 +8454,10 @@ __metadata:
languageName: node
linkType: hard
"@xmldom/xmldom@npm:0.8.12":
version: 0.8.12
resolution: "@xmldom/xmldom@npm:0.8.12"
checksum: 10c0/b733c84292d1bee32ef21a05aba8f9063456b51a54068d0b4a1abf5545156ee0b9894b7ae23775b5881b11c35a8a03871d1b514fb7e1b11654cdbee57e1c2707
"@xmldom/xmldom@npm:^0.8.13":
version: 0.8.13
resolution: "@xmldom/xmldom@npm:0.8.13"
checksum: 10c0/06405ee6fffba631abf715a305ace338420ebcea8baf1317f19f2752f5c505952b7df45159908e7be8451a42faa54326b780616ab4d08242b20477b2973da24b
languageName: node
linkType: hard
@@ -17091,7 +17072,6 @@ __metadata:
pluralize: "npm:^8.0.0"
png-chunks-extract: "npm:^1.0.0"
polished: "npm:^4.3.1"
postinstall-postinstall: "npm:^2.1.0"
prettier: "npm:^3.6.2"
prosemirror-changeset: "npm:2.3.1"
prosemirror-codemark: "npm:^0.4.2"
@@ -17991,13 +17971,6 @@ __metadata:
languageName: node
linkType: hard
"postinstall-postinstall@npm:^2.1.0":
version: 2.1.0
resolution: "postinstall-postinstall@npm:2.1.0"
checksum: 10c0/70488447292c712afa7806126824d6fe93362392cbe261ae60166d9119a350713e0dbf4deb2ca91637c1037bc030ed1de78d61d9041bf2504513070f1caacdfd
languageName: node
linkType: hard
"pprof-format@npm:^2.2.1":
version: 2.2.1
resolution: "pprof-format@npm:2.2.1"
@@ -20595,16 +20568,16 @@ __metadata:
languageName: node
linkType: hard
"tar@npm:^7.5.2":
version: 7.5.2
resolution: "tar@npm:7.5.2"
"tar@npm:^7.5.13":
version: 7.5.13
resolution: "tar@npm:7.5.13"
dependencies:
"@isaacs/fs-minipass": "npm:^4.0.0"
chownr: "npm:^3.0.0"
minipass: "npm:^7.1.2"
minizlib: "npm:^3.1.0"
yallist: "npm:^5.0.0"
checksum: 10c0/a7d8b801139b52f93a7e34830db0de54c5aa45487c7cb551f6f3d44a112c67f1cb8ffdae856b05fd4f17b1749911f1c26f1e3a23bbe0279e17fd96077f13f467
checksum: 10c0/5c65b8084799bde7a791593a1c1a45d3d6ee98182e3700b24c247b7b8f8654df4191642abbdb07ff25043d45dcff35620827c3997b88ae6c12040f64bed5076b
languageName: node
linkType: hard
@@ -21184,10 +21157,10 @@ __metadata:
languageName: node
linkType: hard
"underscore@npm:^1.13.1":
version: 1.13.7
resolution: "underscore@npm:1.13.7"
checksum: 10c0/fad2b4aac48847674aaf3c30558f383399d4fdafad6dd02dd60e4e1b8103b52c5a9e5937e0cc05dacfd26d6a0132ed0410ab4258241240757e4a4424507471cd
"underscore@npm:^1.13.8":
version: 1.13.8
resolution: "underscore@npm:1.13.8"
checksum: 10c0/6677688daeda30484823e77c0b89ce4dcf29964a77d5a06f37299c007ab4bb1c66a0ff75e0d274620b62a1fe2a6ba29879f8214533ca611d71a1ae504f2bfc9b
languageName: node
linkType: hard