To prevent many supply chain attacks it would be great to have an easy option (eventually even enabled by default?) that calls npm with its --ignore-scripts argument to prevent script execution in
|
node_package_manager_install_options = getattr( |
|
settings, |
|
"NODE_PACKAGE_MANAGER_INSTALL_OPTIONS", |
|
[ |
|
"--no-package-lock", |
|
"--production", |
|
], |
|
) |
|
|
Currently this is only possible to set this via NODE_PACKAGE_MANAGER_INSTALL_OPTIONS which feels more like a workaround.
To prevent many supply chain attacks it would be great to have an easy option (eventually even enabled by default?) that calls npm with its
--ignore-scriptsargument to prevent script execution indjango-node-assets/django_node_assets/management/commands/npminstall.py
Lines 47 to 55 in 14f7344
Currently this is only possible to set this via
NODE_PACKAGE_MANAGER_INSTALL_OPTIONSwhich feels more like a workaround.