Skip to content

fix(npm): Disable scripts during publish#634

Merged
BYK merged 1 commit intomasterfrom
byk/fix/tighten-npm-publish
Nov 26, 2025
Merged

fix(npm): Disable scripts during publish#634
BYK merged 1 commit intomasterfrom
byk/fix/tighten-npm-publish

Conversation

@BYK
Copy link
Copy Markdown
Member

@BYK BYK commented Nov 26, 2025

This patch disables user-defined npm scripts during publish which pose a security risk. It also adds some notes on other targets where they run code during publish (but not user-defined code).

@BYK
fix(npm): Disable scripts during publish
67d030a 
This patch disables user-defined npm scripts during publish which pose a security risk. It also adds some notes on other targets where they run code during publish (but not user-defined code).
@BYK BYK enabled auto-merge (squash) November 26, 2025 13:54
Lms24
Lms24 approved these changes Nov 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! I checked the JS SDK monorepo, wizard and Sentry CLI. No pre-/postpublish scripts. We do have some pre-/postpack scripts (example) but this shouldn't be a factor given that we already create and upload the tarballs on the release/ branch, so before we run the publish commands

@BYK BYK merged commit 2227551 into master Nov 26, 2025
14 checks passed
@BYK BYK deleted the byk/fix/tighten-npm-publish branch November 26, 2025 14:23
@BYK BYK added the bug Something isn't working label Nov 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lms24 Lms24 Lms24 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BYK @Lms24