mirror of
https://github.com/zulip/zulip.git
synced 2025-11-04 05:53:43 +00:00
43c8c720ef
As predicted in https://www.kb.cert.org/vuls/id/319816/, a malicious worm is beginning to spread across the npm ecosystem through package postinstall scripts. Only instead of direct self-replicating code, the replication vector is the temptation to monetize postinstall scripts by polluting the console logs with paid advertisements. The effect will be the same unless we all put a stop to this while we still can. Apply the recommended VU#319816 workaround, which is to disable lifecycle scripts when installing npm packages. The only fallout is: * node-sass can’t run because it uses compiled native code; we replace it with Dart Sass. * phantomjs-prebuilt doesn’t download the binary at install time; we tell it to download it in run-casper. * ttf2woff2 transparently falls back from native code to an Emscripten build. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This directory contains scripts that:
-
Generally do not require access to Django or the database (those are "management commands"), and thus are suitable to run operationally.
-
Are useful for managing a production deployment of Zulip (many are also used in a Zulip development environment, though development-only scripts live in
tools/).
For more details, see https://zulip.readthedocs.io/en/latest/overview/directory-structure.html.