From 3f07771a7e6919bd32aafda04be7dc893201741c Mon Sep 17 00:00:00 2001
From: Tom Moor <tom@getoutline.com>
Date: Sun, 26 Apr 2026 21:23:26 -0400
Subject: [PATCH] chore: Improve setup against supply chain attacks (#12170)

* Add npm audit CI
Remove postinstall
Disable postinstall scripts
Increase age gate to 3d

* audit cleanup

* Gate on dep changes
---
 .github/workflows/ci.yml | 24 ++++++++++++++++
 .yarnrc.yml              | 22 ++++++++++++++-
 package.json             |  8 ++++--
 yarn.lock                | 61 +++++++++++-----------------------------
 4 files changed, 67 insertions(+), 48 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d5cb5dfcc8..6f13678223 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -75,12 +75,32 @@ jobs:
           key: ${{ runner.os }}-node-modules-24.x-${{ hashFiles('yarn.lock') }}
       - run: yarn tsc
 
+  audit:
+    needs: [setup, changes]
+    if: ${{ needs.changes.outputs.deps == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Enable Corepack
+        run: corepack enable
+      - uses: actions/setup-node@v5
+        with:
+          node-version: 24.x
+          cache: "yarn"
+      - name: Restore node_modules
+        uses: actions/cache@v4
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-node-modules-24.x-${{ hashFiles('yarn.lock') }}
+      - run: yarn npm audit --severity high --recursive --environment production
+
   changes:
     runs-on: ubuntu-latest
     outputs:
       config: ${{ steps.filter.outputs.config }}
       server: ${{ steps.filter.outputs.server }}
       app: ${{ steps.filter.outputs.app }}
+      deps: ${{ steps.filter.outputs.deps }}
     steps:
       - uses: actions/checkout@v5
       - uses: dorny/paths-filter@v2
@@ -100,6 +120,10 @@ jobs:
               - 'shared/**'
               - 'package.json'
               - 'yarn.lock'
+            deps:
+              - 'package.json'
+              - 'yarn.lock'
+              - '.yarnrc.yml'
 
   test:
     needs: [setup, changes]
diff --git a/.yarnrc.yml b/.yarnrc.yml
index 49860455f3..80556a172a 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -1,6 +1,26 @@
 nodeLinker: node-modules
 
-npmMinimalAgeGate: 1440
+enableScripts: false
+
+npmMinimalAgeGate: 4320
 
 npmPreapprovedPackages:
   - outline-icons
+
+# Build-time advisories that don't affect runtime request handling.
+# Re-evaluate when bumping the relevant dev/build dep.
+npmAuditIgnoreAdvisories:
+  - "1113517" # GHSA-mw96-cpmx-2vgc rollup <2.80.0 path traversal (workbox-build, build-time)
+  - "1113686" # GHSA-5c6j-r48x-rmvq serialize-javascript RCE (@rollup/plugin-terser, build-time)
+  - "1113459" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113461" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113465" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113538" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113540" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113544" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113546" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113548" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1113552" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
+  - "1115552" # GHSA-c2c7-rcm5-vvqj picomatch ReDoS (babel-plugin-styled-components, dotenvx CLI)
+  - "1115554" # GHSA-c2c7-rcm5-vvqj picomatch ReDoS (babel-plugin-styled-components, dotenvx CLI)
+  - "1115805" # GHSA-r5fr-rjxr-66jc lodash-es _.template injection (mermaid; not exposed to user-controlled template keys)
diff --git a/package.json b/package.json
index 1eaa91f3cf..d09686b5e4 100644
--- a/package.json
+++ b/package.json
@@ -365,7 +365,6 @@
     "nodemon": "^3.1.14",
     "oxlint": "1.11.2",
     "oxlint-tsgolint": "^0.1.6",
-    "postinstall-postinstall": "^2.1.0",
     "prettier": "^3.6.2",
     "react-refresh": "^0.18.0",
     "rimraf": "^2.5.4",
@@ -388,9 +387,12 @@
     "cheerio": "1.0.0-rc.12",
     "zod": "^4.2.1",
     "socket.io-parser": "4.2.6",
-    "@xmldom/xmldom": "0.8.12",
+    "@xmldom/xmldom": "^0.8.13",
     "fast-xml-parser": "5.5.7",
-    "@types/markdown-it": "14.1.1"
+    "@types/markdown-it": "14.1.1",
+    "underscore": "^1.13.8",
+    "tar": "^7.5.13",
+    "@hono/node-server": "^1.19.10"
   },
   "version": "1.7.0",
   "packageManager": "yarn@4.11.0"
diff --git a/yarn.lock b/yarn.lock
index ccbe9ef2c0..db2ff175a2 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -649,17 +649,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@aws-sdk/types@npm:^3.222.0":
-  version: 3.973.1
-  resolution: "@aws-sdk/types@npm:3.973.1"
-  dependencies:
-    "@smithy/types": "npm:^4.12.0"
-    tslib: "npm:^2.6.2"
-  checksum: 10c0/8a4a183cc39b4d6f4d065ece884b50d397a54b17add32b649f49adbe676174e7bee2c3c94394fc5227a4fccb96c34482291a1eb2702158e1dbb12c441af32863
-  languageName: node
-  linkType: hard
-
-"@aws-sdk/types@npm:^3.973.8":
+"@aws-sdk/types@npm:^3.222.0, @aws-sdk/types@npm:^3.973.8":
   version: 3.973.8
   resolution: "@aws-sdk/types@npm:3.973.8"
   dependencies:
@@ -3042,12 +3032,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@hono/node-server@npm:^1.19.9":
-  version: 1.19.9
-  resolution: "@hono/node-server@npm:1.19.9"
+"@hono/node-server@npm:^1.19.10":
+  version: 1.19.14
+  resolution: "@hono/node-server@npm:1.19.14"
   peerDependencies:
     hono: ^4
-  checksum: 10c0/de18c06b6b266dc45fe55fb82053bd1da8fe84939c49b6fbab4d2448b679d54ab5affbf8b15de9bead26f29b1755284d770aafb5ad14a8e4b3cfb4f79334554e
+  checksum: 10c0/41a099bb3705d96aac44b7a8db8805f2a22ce8a0f767a27b6d10b74a9964925df01c5f35d3631e882f8bcdeee3518884c30f40588ac8c960d88bf71048ba0df3
   languageName: node
   linkType: hard
 
@@ -6601,15 +6591,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@smithy/types@npm:^4.12.0":
-  version: 4.12.0
-  resolution: "@smithy/types@npm:4.12.0"
-  dependencies:
-    tslib: "npm:^2.6.2"
-  checksum: 10c0/ac81de3f24b43e52a5089279bced4ff04a853e0bdc80143a234e79f7f40cbd61d85497b08a252265570b4637a3cf265cf85a7a09e5f194937fe30706498640b7
-  languageName: node
-  linkType: hard
-
 "@smithy/types@npm:^4.14.1":
   version: 4.14.1
   resolution: "@smithy/types@npm:4.14.1"
@@ -8473,10 +8454,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@xmldom/xmldom@npm:0.8.12":
-  version: 0.8.12
-  resolution: "@xmldom/xmldom@npm:0.8.12"
-  checksum: 10c0/b733c84292d1bee32ef21a05aba8f9063456b51a54068d0b4a1abf5545156ee0b9894b7ae23775b5881b11c35a8a03871d1b514fb7e1b11654cdbee57e1c2707
+"@xmldom/xmldom@npm:^0.8.13":
+  version: 0.8.13
+  resolution: "@xmldom/xmldom@npm:0.8.13"
+  checksum: 10c0/06405ee6fffba631abf715a305ace338420ebcea8baf1317f19f2752f5c505952b7df45159908e7be8451a42faa54326b780616ab4d08242b20477b2973da24b
   languageName: node
   linkType: hard
 
@@ -17091,7 +17072,6 @@ __metadata:
     pluralize: "npm:^8.0.0"
     png-chunks-extract: "npm:^1.0.0"
     polished: "npm:^4.3.1"
-    postinstall-postinstall: "npm:^2.1.0"
     prettier: "npm:^3.6.2"
     prosemirror-changeset: "npm:2.3.1"
     prosemirror-codemark: "npm:^0.4.2"
@@ -17991,13 +17971,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"postinstall-postinstall@npm:^2.1.0":
-  version: 2.1.0
-  resolution: "postinstall-postinstall@npm:2.1.0"
-  checksum: 10c0/70488447292c712afa7806126824d6fe93362392cbe261ae60166d9119a350713e0dbf4deb2ca91637c1037bc030ed1de78d61d9041bf2504513070f1caacdfd
-  languageName: node
-  linkType: hard
-
 "pprof-format@npm:^2.2.1":
   version: 2.2.1
   resolution: "pprof-format@npm:2.2.1"
@@ -20595,16 +20568,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:^7.5.2":
-  version: 7.5.2
-  resolution: "tar@npm:7.5.2"
+"tar@npm:^7.5.13":
+  version: 7.5.13
+  resolution: "tar@npm:7.5.13"
   dependencies:
     "@isaacs/fs-minipass": "npm:^4.0.0"
     chownr: "npm:^3.0.0"
     minipass: "npm:^7.1.2"
     minizlib: "npm:^3.1.0"
     yallist: "npm:^5.0.0"
-  checksum: 10c0/a7d8b801139b52f93a7e34830db0de54c5aa45487c7cb551f6f3d44a112c67f1cb8ffdae856b05fd4f17b1749911f1c26f1e3a23bbe0279e17fd96077f13f467
+  checksum: 10c0/5c65b8084799bde7a791593a1c1a45d3d6ee98182e3700b24c247b7b8f8654df4191642abbdb07ff25043d45dcff35620827c3997b88ae6c12040f64bed5076b
   languageName: node
   linkType: hard
 
@@ -21184,10 +21157,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"underscore@npm:^1.13.1":
-  version: 1.13.7
-  resolution: "underscore@npm:1.13.7"
-  checksum: 10c0/fad2b4aac48847674aaf3c30558f383399d4fdafad6dd02dd60e4e1b8103b52c5a9e5937e0cc05dacfd26d6a0132ed0410ab4258241240757e4a4424507471cd
+"underscore@npm:^1.13.8":
+  version: 1.13.8
+  resolution: "underscore@npm:1.13.8"
+  checksum: 10c0/6677688daeda30484823e77c0b89ce4dcf29964a77d5a06f37299c007ab4bb1c66a0ff75e0d274620b62a1fe2a6ba29879f8214533ca611d71a1ae504f2bfc9b
   languageName: node
   linkType: hard