LTS-3295: add supply-chain hardened .npmrc#15
Conversation
Adds the .npmrc required by the weekly SC-12282 supply-chain audit. Enables strict-ssl, save-exact, audit-level=high, legacy-peer-deps=false. ignore-scripts and engine-strict are deferred (documented in-file): ignore-scripts would break postinstall driver-binary downloads (edgedriver, geckodriver) and esbuild's native-binary check; engine-strict would break `npm install` for customers on varied Node versions. access=restricted omitted (public repo). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- .npmrc: add ignore-scripts=true + engine-strict=true -> all 6 SC-12282 directives now present (access=restricted is N/A for a public sample). ignore-scripts is safe here: these tests run remotely on BrowserStack and Edge/Gecko are not supported on our platform, so the local driver-binary postinstalls (edgedriver/geckodriver) are not needed. - package.json: pin browserstack-node-sdk to 1.61.0 (latest; the wdio/NodeBase BLU runner relies on package.json and does not override the node-SDK version). Add engines.node ">=18" (satisfied by the runner pods and required by @wdio/cli 9) so engine-strict has a safe floor that only rejects EOL Node. - package-lock.json: regenerated for 1.61.0, kept lockfileVersion 2. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-minimum-release-age) Semgrep p/default flagged `npm-missing-minimum-release-age` on this .npmrc — a supply-chain rule (npm v11.10+) wanting a cooldown before resolving newly-published package versions. Adding `min-release-age=7` clears it (semgrep p/default now reports 0 findings locally). Validated inert-safe on the runner pod via the paired Playwright prod run (pod npm treats it as harmless today; activates as protection on npm >=11.10). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| "@wdio/mocha-framework": "^9.26.1", | ||
| "@wdio/spec-reporter": "^9.26.1", | ||
| "browserstack-node-sdk": "^1.50.3", | ||
| "browserstack-node-sdk": "1.61.0", |
There was a problem hiding this comment.
Instead of pinning to any version keep it as latest
There was a problem hiding this comment.
We pinned deliberately here — a floating "latest" conflicts with three of the SC-12282 hardening directives this PR adds:
save-exact=true— no^/~ranges allowedmin-release-age=7— don't resolve packages published < 7 days agoignore-scripts=true— removes the oldpostinstall: npm update browserstack-node-sdkthat used to auto-fetch latest
The audit's whole intent is to not auto-adopt the newest release on install (that's the supply-chain vector — a compromised fresh publish). Note we did pin to the current latest (1.61.0), so it's up to date today; pinning just stops silent drift.
To keep it current without floating, the clean path is Dependabot — it raises a reviewed PR to bump the exact pin as new SDKs ship (and can respect the 7-day cooldown). That gives "always current" through controlled, testable updates.
If you'd still prefer a floating latest for the samples specifically, we can do that — but it makes these sample repos a documented exception to SC-12282 (defensible, since they're public customer samples rather than shipped services). Happy to go either way — let me know your preference.
| save-exact=true | ||
| audit-level=high | ||
| legacy-peer-deps=false | ||
| ignore-scripts=true |
There was a problem hiding this comment.
Tested with this configuration to initiate tests with cli and ui?
There was a problem hiding this comment.
Yes — validated end-to-end on the real prod BLU pod via the CLI (browserstack-cli load run), for both this WebdriverIO sample and the Playwright one:
- pod installs the sample with the hardened
.npmrc(ignore-scripts+engine-strict+min-release-age) — no install/scripts/engine issues engines.nodeis honored (pod ran Node 18.20.4), SDK resolved, test ran to completion, VUH + web-vitals/network metrics published, video/logs uploaded- Playwright: 2/2 tests passed (
test_status=completed); WebdriverIO: add-to-cart passed (the checkout step failed on a sample selector unrelated to this change)
The dashboard-UI-initiated flow uploads the same package + browserstack-load.yml, so it exercises the identical install/run path — I can attach a UI-triggered run too if you'd like that explicitly on record.
What
Adds the
.npmrcrequired by the weekly SC-12282 supply-chain.npmrcaudit (repo failed withmissing_file).Resolves LTS-3295.
Directives
Deferred (documented in-file), matching sibling-repo precedent
ignore-scripts=true— dependencies fetch driver binaries during postinstall (edgedriver,geckodriver) andesbuildverifies its platform-specific native binary on install; enablingignore-scriptswould break local driver setup.engine-strict=true— customers clone and run this sample on a wide range of Node versions; hardEBADENGINEenforcement on transitive deps would breaknpm installfor them. Kept as a warning.access=restricted— omitted; this is a public, customer-facing sample, not a private published package.Ref: Supply Chain Security Enhancements Tech Spec
🤖 Generated with Claude Code