Any updates and recommendations for users of Plone and Volto in the face of the recent Shai-Hulud supply chain attacks on the npm ecosystem?
Return of the Shai-Hulud worm affects over 25,000 GitHub repositories | Sysdig.
At minimum it seems we should disable post and pre install scripts:
npm config set ignore-scripts true
For yarn
1. Create or edit .yarnrc.yml
Open the .yarnrc.yml file at the root of your project. If it doesn't exist, create it.
2. Add the enableScripts configuration
Add the enableScripts setting and set it to false. This will completely prevent lifecycle scripts from running during installation.
yaml
# .yarnrc.yml
enableScripts: false
I know that there is some protection, at least to the host systems, if all dev and ci is happening in containers. I'm not well informed on this matter though.