Best practice for npm install --ignore-scripts with Gatsby and sharp

[7Bitrot]

Hi everyone,

I’m trying to harden a Gatsby workflow against npm supply-chain risk by using npm install --ignore-scripts and/or ignore-scripts=true in .npmrc.

Install-time lifecycle scripts are a common attack vector, and OWASP recommends disabling them by default. One way to keep the security posture while still allowing needed packages to work is @lavamoat/allow-scripts, which provides a whitelist for install/postinstall scripts.

In my minimal Gatsby example, sharp fails when install scripts are blocked, and the project builds again after allowing gatsby-plugin-sharp>sharp in the lavamoat.allowScripts allow list.

I have a few related questions:

1. For Gatsby projects, are there other packages or plugin chains that typically require install scripts enabled for Gatsby features to function properly?
2. Is there a recommended “Gatsby-safe” allow list pattern, or any known common Gatsby dependency entries that should be allowed when using @lavamoat/allow-scripts?
3. I know install-time lifecycle scripts are the main security concern here, but should I also treat build-time scripts or Gatsby lifecycle scripts as a separate risk in this scenario?

A couple of clarifications to keep the focus on the right risk model:

• ignore-scripts=true only affects npm lifecycle scripts such as preinstall, install, and postinstall.
• Normal build commands like gatsby build are not disabled by that flag, but I want to understand whether Gatsby’s build-time/plugin hooks add any additional script-related risk worth handling separately.
• The exact lavamoat.allowScripts entries depend on package versions and installed Gatsby plugins, so I’m looking for community guidance rather than a fixed whitelist.

I don’t think this is a bug, so I’m asking here first before opening an issue. Thanks for any guidance or recommended practices.

[7Bitrot]

A little update on this topic: using can-i-ignore-scripts, I was able to pinpoint some packages that should be allowed in this example, and the ones that can be safely ignored.

{
    "lavamoat": {
    "allowScripts": {
      "@lavamoat/preinstall-always-fail#3.0.0": false,
      "gatsby#5.16.1": false,
+     "gatsby-plugin-sharp>sharp#0.32.6": true,
+     "gatsby>@parcel/cache>lmdb#2.5.2": true,
      "gatsby>@pmmmwh/react-refresh-webpack-plugin>core-js-pure#3.24.1": false,
      "gatsby>core-js#3.48.0": false,
      "gatsby>gatsby-cli#5.16.0": false,
+     "gatsby>lmdb#2.5.3": true,
+     "gatsby>lmdb>msgpackr>msgpackr-extract#3.0.3": true,
      "gatsby>memoizee>es5-ext#0.10.64": false,
+     "sass>@parcel/watcher#2.5.6": true,
    }
  }
}

can-i-ignore-scripts will suggest you check other packages:

You have 4 packages identified as 'check' that are not yet allowed.
  es5-ext,
  gatsby,
  gatsby-cli,
  ljharb-monorepo-symlink-test
Please review these packages and update your 
lavamoat allowlist in package.json as needed.

es5-ext and ljharb-monorepo-symlink-test can be ignored. I’m not sure whether gatsby and gatsby-cli need to be allowed.

Should I also treat build-time scripts or Gatsby lifecycle scripts as a separate risk in this scenario?

Community, or maintainers input are still appreciated.

[7Bitrot]

Just updated can-i-ignore-scripts with the packages that can be ignored on install, in case anyone for some reason wants to use ignore-scripts=true with a legacy Gatsby project.

Thanks for your attention.