mirror of
https://github.com/zulip/zulip.git
synced 2026-07-12 21:04:41 +08:00
As predicted in https://www.kb.cert.org/vuls/id/319816/, a malicious worm is beginning to spread across the npm ecosystem through package postinstall scripts. Only instead of direct self-replicating code, the replication vector is the temptation to monetize postinstall scripts by polluting the console logs with paid advertisements. The effect will be the same unless we all put a stop to this while we still can. Apply the recommended VU#319816 workaround, which is to disable lifecycle scripts when installing npm packages. The only fallout is: * node-sass can’t run because it uses compiled native code; we replace it with Dart Sass. * phantomjs-prebuilt doesn’t download the binary at install time; we tell it to download it in run-casper. * ttf2woff2 transparently falls back from native code to an Emscripten build. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> |
||
|---|---|---|
| .. | ||
| third | ||
| __init__.py | ||
| build-pgroonga | ||
| build-tsearch-extras | ||
| certbot-maybe-renew | ||
| check-upstart | ||
| clean_emoji_cache.py | ||
| clean_node_cache.py | ||
| clean_venv_cache.py | ||
| clean-unused-caches | ||
| create-production-venv | ||
| create-thumbor-venv | ||
| email-mirror-postfix | ||
| hash_reqs.py | ||
| install | ||
| install-node | ||
| install-shellcheck | ||
| node_cache.py | ||
| process-mobile-i18n | ||
| pythonrc.py | ||
| queue_workers.py | ||
| setup_path_on_import.py | ||
| setup_venv.py | ||
| setup-apt-repo | ||
| setup-apt-repo-debathena | ||
| setup-yum-repo | ||
| unpack-zulip | ||
| upgrade-zulip | ||
| upgrade-zulip-from-git | ||
| upgrade-zulip-stage-2 | ||
| zulip_tools.py | ||