Adopt @lavamoat/allow-scripts to gate npm install scripts

Disables dependency lifecycle scripts by default via .npmrc
(ignore-scripts=true) so arbitrary packages cannot execute code at
install time. An explicit allowlist in web/package.json opts specific
packages back in, and CI/Docker/Taskfile now run allow-scripts after
npm install to apply it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: web
-        run: npm install
+        run: npm install && npm exec -- allow-scripts
 
       - name: Type check
         working-directory: web

Dockerfile

@@ -1,8 +1,8 @@
 # Stage 1: Build React frontend
 FROM node:22-alpine AS frontend
 WORKDIR /app/web
-COPY web/package*.json ./
-RUN npm install
+COPY web/package*.json web/.npmrc ./
+RUN npm install && npm exec -- allow-scripts
 COPY web/ ./
 RUN npm run build
 

Taskfile.yml

@@ -15,7 +15,9 @@ tasks:
   web:install:
     desc: Install frontend dependencies
     dir: "{{.WEB_DIR}}"
-    cmd: npm install
+    cmds:
+      - npm install
+      - npm exec -- allow-scripts
     sources:
       - package.json
     generates:

web/.npmrc

@@ -0,0 +1 @@
+ignore-scripts=true

web/package.json

@@ -4,6 +4,7 @@
   "private": true,
   "type": "module",
   "dependencies": {
+    "@lavamoat/preinstall-always-fail": "^3.0.0",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "react-router-dom": "^7.13.1"
@@ -15,6 +16,7 @@
     "test": "vitest run"
   },
   "devDependencies": {
+    "@lavamoat/allow-scripts": "^5.0.1",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
@@ -28,5 +30,10 @@
     "typescript": "^6.0.2",
     "vite": "^8.0.8",
     "vitest": "^4.1.4"
+  },
+  "lavamoat": {
+    "allowScripts": {
+      "@lavamoat/preinstall-always-fail": false
+    }
   }
 }