fix: #2030 add ignore script prevent supply chain attack (#859)

ianliuwk1019 · web-flow · commit 4374793f1192 · 2025-11-27T12:18:30.000-08:00
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -24,7 +24,7 @@ jobs:
       - uses: bcgov/action-test-and-analyse@v1.3.0
         with:
           commands: |
-            npm ci
+            npm ci --ignore-scripts
             npm run test-unit
           dir: api
           node_version: 18.18.2
diff --git a/api/README.md b/api/README.md
@@ -26,9 +26,9 @@ Once set up, the stack can be access using the following paths on localhost:
 
 ### Local / Bare Metal
 
-Run 'cd ../libs && npm ci' first. 
+Run 'cd ../libs && npm ci --ignore-scripts' first. 
 
-Run 'npm install' for this component.
+Run 'npm install --ignore-scripts' for this component.
 
 Start commands are available in package.json.
 
@@ -44,7 +44,7 @@ source ./localdev.env      # Linux, MacOS
 export OBJECT_STORAGE_SECRET=<hidden>
 
 # Make sure 'libs' dependencies is installed
-cd ../libs && npm ci
+cd ../libs && npm ci --ignore-scripts
 
 # Install node modules
 npm i
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -38,7 +38,7 @@ services:
       - sh
       - -c
       - cd libs && npm ci --ignore-scripts &&
-        cd ../api && npm i --ignore-scripts &&
+        cd ../api && npm ci --ignore-scripts &&
         npm run start:api
     environment:
       - DB_HOST=db
diff --git a/libs/README.md b/libs/README.md
@@ -33,7 +33,7 @@ Under 'libs' folder, current categories for the libs project contains:
 
 FOM has been migrated from mono-repo to none mono-repo for ease of resolving dependencies individually for each project (but not 'libs' with versioning). As 'libs' is a sibling project beside other projects, for the individual project to use it and to build, you do require to do following steps first before building individual project:
 - cd libs
-- npm ci
+- npm ci --ignore-scripts
 
 ## Client Library Generation
 - See [Client Library Generation](../api/README.md)
diff --git a/libs/client/typescript-ng/README.md b/libs/client/typescript-ng/README.md
@@ -4,7 +4,7 @@
 
 To install the required dependencies and to build the typescript sources run:
 ```
-npm install
+npm install --ignore-scripts
 npm run build
 ```
 
@@ -19,13 +19,13 @@ Navigate to the folder of your consuming project and run one of next commands.
 _published:_
 
 ```
-npm install @ --save
+npm install @ --save --ignore-scripts
 ```
 
 _without publishing (not recommended):_
 
 ```
-npm install PATH_TO_GENERATED_PACKAGE/dist.tgz --save
+npm install PATH_TO_GENERATED_PACKAGE/dist.tgz --save --ignore-scripts
 ```
 
 _It's important to take the tgz file, otherwise you'll get trouble with links on windows_
