Adopt @lavamoat/allow-scripts to gate npm install scripts

Disables dependency lifecycle scripts by default via .npmrc (ignore-scripts=true) so arbitrary packages cannot execute code at install time. An explicit allowlist in web/package.json opts specific packages back in, and CI/Docker/Taskfile now run allow-scripts after npm install to apply it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 11:29:08 -03:00
parent 0446e8f8a7
commit 668397104a
6 changed files with 1295 additions and 4 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -15,7 +15,9 @@ tasks:
  web:install:
    desc: Install frontend dependencies
    dir: "{{.WEB_DIR}}"
-    cmd: npm install
+    cmds:
+      - npm install
+      - npm exec -- allow-scripts
    sources:
      - package.json
    generates: