npm: allow git dependencies only in the root package.json#66
Conversation
https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/ Git dependencies-direct or transitive-can include .npmrc files that override the git executable path. This enables arbitrary code execution during install even when using --ignore-scripts.
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe Changesnpm Configuration Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 60 minutes.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.npmrc:
- Line 6: The .npmrc uses allow-git which is ignored by npm < 11.9.0; ensure CI
and developer environments run npm ≥ 11.9.0 by adding an explicit npm version
pin — e.g., add an engines field to package.json ("npm": ">=11.9.0"), or add a
.nvmrc / .node-version with a Node release that ships npm ≥ 11.9.0, or configure
your GitHub Actions setup-node step to install npm >= 11.9.0; update whichever
of package.json, .nvmrc, .node-version or the CI setup-node action you prefer so
that the allow-git setting in .npmrc is honored.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| # SPDX-License-Identifier: CC0-1.0 | ||
|
|
||
| ignore-scripts = true | ||
| allow-git = root |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Check npm/node version pinning in repo metadata =="
fd -HI '(^|/)(package.json|.nvmrc|.node-version|Dockerfile|dockerfile|compose\.ya?ml|ci\.yml|.*workflow.*\.ya?ml)$' \
| xargs -r rg -n -C2 --iglob '*package.json' --iglob '*.yml' --iglob '*.yaml' --iglob 'Dockerfile*' \
'("engines"\s*:\s*\{|"npm"\s*:\s*|node-version|setup-node|npm@|corepack|npm ci|npm install)'
echo
echo "== Check for npm config usage related to allow-git =="
rg -n -C2 --iglob '*.yml' --iglob '*.yaml' --iglob '*.sh' --iglob '*.md' --iglob '.npmrc' \
'(allow-git|npm ci|npm install|--allow-git)'
echo
echo "Expected: all execution paths that run npm are pinned to npm >= 11.9.0 (or explicitly pass --allow-git=root)."Repository: ddterm/gjs-typelib-installer
Length of output: 886
🏁 Script executed:
# Check package.json for engines field
cat package.json | head -50
# Check if .nvmrc or .node-version files exist
fd -type f -name '.nvmrc' -o -name '.node-version'
# Check GitHub Actions workflow for node-version input
cat .github/workflows/ci.yml | grep -A5 -B5 'setup-node\|node-version' || echo "No setup-node or node-version found"Repository: ddterm/gjs-typelib-installer
Length of output: 1580
🏁 Script executed:
cat .github/workflows/ci.ymlRepository: ddterm/gjs-typelib-installer
Length of output: 3811
🌐 Web query:
GitHub Actions ubuntu-24.04 default Node.js npm version
💡 Result:
On GitHub Actions ubuntu-24.04 runner (current as of 2026-05-03), the default Node.js version is 20.20.2. This is the version available on PATH without using actions/setup-node. The corresponding default npm version is the one bundled with Node.js 20.20.2, which is npm 10.8.3 (confirmed from Node.js release notes and standard bundling). Multiple Node.js versions are pre-cached (20.x, 22.x, 24.x), but 20.20.2 is listed first under Language and Runtime as the primary/default installation. Note: Node.js 20 reaches EOL on 2026-04-30, and there is an open issue discussing updating the default to 22 or 24 post-EOL, but as of current sources (main branch Readme and March/April 2026 image releases), it remains 20.20.2.
Citations:
- 1: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md
- 2: ubuntu-latest default Node.js 20.20.2 unsupported actions/runner-images#13833
- 3: https://github.com/actions/runner-images/releases/tag/ubuntu24/20260329.72
- 4: https://github.com/actions/runner-images/releases/tag/ubuntu24/20260309.50
Pin npm to version ≥ 11.9.0 to enforce allow-git restriction.
The allow-git config is silently ignored by npm < 11.9.0. Current GitHub Actions ubuntu-24.04 default is npm 10.8.3, which does not support this feature. Add version pinning via engines field in package.json, .nvmrc, .node-version, or setup-node action in CI to ensure npm ≥ 11.9.0 runs in all execution contexts.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.npmrc at line 6, The .npmrc uses allow-git which is ignored by npm <
11.9.0; ensure CI and developer environments run npm ≥ 11.9.0 by adding an
explicit npm version pin — e.g., add an engines field to package.json ("npm":
">=11.9.0"), or add a .nvmrc / .node-version with a Node release that ships npm
≥ 11.9.0, or configure your GitHub Actions setup-node step to install npm >=
11.9.0; update whichever of package.json, .nvmrc, .node-version or the CI
setup-node action you prefer so that the allow-git setting in .npmrc is honored.
1 participant
https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/