Skip to content

LTS-3295: add supply-chain hardened .npmrc#15

Merged
pattu777 merged 3 commits into
mainfrom
sec/LTS-3295-npmrc-hardening
Jul 7, 2026
Merged

LTS-3295: add supply-chain hardened .npmrc#15
pattu777 merged 3 commits into
mainfrom
sec/LTS-3295-npmrc-hardening

Conversation

@amitsi-bs

@amitsi-bs amitsi-bs commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What

Adds the .npmrc required by the weekly SC-12282 supply-chain .npmrc audit (repo failed with missing_file).

Resolves LTS-3295.

Directives

strict-ssl=true
save-exact=true
audit-level=high
legacy-peer-deps=false

Deferred (documented in-file), matching sibling-repo precedent

  • ignore-scripts=true — dependencies fetch driver binaries during postinstall (edgedriver, geckodriver) and esbuild verifies its platform-specific native binary on install; enabling ignore-scripts would break local driver setup.
  • engine-strict=true — customers clone and run this sample on a wide range of Node versions; hard EBADENGINE enforcement on transitive deps would break npm install for them. Kept as a warning.
  • access=restricted — omitted; this is a public, customer-facing sample, not a private published package.

Ref: Supply Chain Security Enhancements Tech Spec

🤖 Generated with Claude Code

Adds the .npmrc required by the weekly SC-12282 supply-chain audit.
Enables strict-ssl, save-exact, audit-level=high, legacy-peer-deps=false.

ignore-scripts and engine-strict are deferred (documented in-file):
ignore-scripts would break postinstall driver-binary downloads
(edgedriver, geckodriver) and esbuild's native-binary check; engine-strict
would break `npm install` for customers on varied Node versions.
access=restricted omitted (public repo).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@amitsi-bs amitsi-bs requested a review from a team as a code owner July 6, 2026 10:59
@amitsi-bs amitsi-bs requested a review from rohit-Bstack July 6, 2026 10:59
Comment thread .npmrc Fixed
- .npmrc: add ignore-scripts=true + engine-strict=true -> all 6 SC-12282
  directives now present (access=restricted is N/A for a public sample).
  ignore-scripts is safe here: these tests run remotely on BrowserStack and
  Edge/Gecko are not supported on our platform, so the local driver-binary
  postinstalls (edgedriver/geckodriver) are not needed.
- package.json: pin browserstack-node-sdk to 1.61.0 (latest; the wdio/NodeBase
  BLU runner relies on package.json and does not override the node-SDK version).
  Add engines.node ">=18" (satisfied by the runner pods and required by
  @wdio/cli 9) so engine-strict has a safe floor that only rejects EOL Node.
- package-lock.json: regenerated for 1.61.0, kept lockfileVersion 2.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread .npmrc Fixed
…-minimum-release-age)

Semgrep p/default flagged `npm-missing-minimum-release-age` on this .npmrc — a
supply-chain rule (npm v11.10+) wanting a cooldown before resolving
newly-published package versions. Adding `min-release-age=7` clears it (semgrep
p/default now reports 0 findings locally). Validated inert-safe on the runner pod
via the paired Playwright prod run (pod npm treats it as harmless today; activates
as protection on npm >=11.10).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread package.json
"@wdio/mocha-framework": "^9.26.1",
"@wdio/spec-reporter": "^9.26.1",
"browserstack-node-sdk": "^1.50.3",
"browserstack-node-sdk": "1.61.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of pinning to any version keep it as latest

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We pinned deliberately here — a floating "latest" conflicts with three of the SC-12282 hardening directives this PR adds:

  • save-exact=true — no ^/~ ranges allowed
  • min-release-age=7 — don't resolve packages published < 7 days ago
  • ignore-scripts=true — removes the old postinstall: npm update browserstack-node-sdk that used to auto-fetch latest

The audit's whole intent is to not auto-adopt the newest release on install (that's the supply-chain vector — a compromised fresh publish). Note we did pin to the current latest (1.61.0), so it's up to date today; pinning just stops silent drift.

To keep it current without floating, the clean path is Dependabot — it raises a reviewed PR to bump the exact pin as new SDKs ship (and can respect the 7-day cooldown). That gives "always current" through controlled, testable updates.

If you'd still prefer a floating latest for the samples specifically, we can do that — but it makes these sample repos a documented exception to SC-12282 (defensible, since they're public customer samples rather than shipped services). Happy to go either way — let me know your preference.

Comment thread .npmrc
save-exact=true
audit-level=high
legacy-peer-deps=false
ignore-scripts=true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with this configuration to initiate tests with cli and ui?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes — validated end-to-end on the real prod BLU pod via the CLI (browserstack-cli load run), for both this WebdriverIO sample and the Playwright one:

  • pod installs the sample with the hardened .npmrc (ignore-scripts + engine-strict + min-release-age) — no install/scripts/engine issues
  • engines.node is honored (pod ran Node 18.20.4), SDK resolved, test ran to completion, VUH + web-vitals/network metrics published, video/logs uploaded
  • Playwright: 2/2 tests passed (test_status=completed); WebdriverIO: add-to-cart passed (the checkout step failed on a sample selector unrelated to this change)

The dashboard-UI-initiated flow uploads the same package + browserstack-load.yml, so it exercises the identical install/run path — I can attach a UI-triggered run too if you'd like that explicitly on record.

@pattu777 pattu777 merged commit d4988e7 into main Jul 7, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants