mirror of
https://github.com/zulip/zulip.git
synced 2025-11-05 06:23:38 +00:00
43c8c720ef
As predicted in https://www.kb.cert.org/vuls/id/319816/, a malicious worm is beginning to spread across the npm ecosystem through package postinstall scripts. Only instead of direct self-replicating code, the replication vector is the temptation to monetize postinstall scripts by polluting the console logs with paid advertisements. The effect will be the same unless we all put a stop to this while we still can. Apply the recommended VU#319816 workaround, which is to disable lifecycle scripts when installing npm packages. The only fallout is: * node-sass can’t run because it uses compiled native code; we replace it with Dart Sass. * phantomjs-prebuilt doesn’t download the binary at install time; we tell it to download it in run-casper. * ttf2woff2 transparently falls back from native code to an Emscripten build. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
3.9 KiB
3.9 KiB