Fix typo: replace --ignore-script with --ignore-scripts in CI#21
Fix typo: replace --ignore-script with --ignore-scripts in CI#21alecgibson merged 1 commit intomainfrom
Conversation
--ignore-script is not a valid npm flag. The correct flag is --ignore-scripts (plural), as documented in the npm CLI docs: https://docs.npmjs.com/cli/v10/commands/npm-install#ignore-scripts
There was a problem hiding this comment.
Pull request overview
Updates the CI workflow to use the correct npm flag for disabling lifecycle scripts during dependency installation, aligning the pipeline with npm CLI behavior and the stated security intent.
Changes:
- Fix CI install command typo by changing
--ignore-scriptto the valid--ignore-scriptsflag.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -33,7 +33,7 @@ jobs: | |||
| registry-url: 'https://npm.pkg.github.com' | |||
| - name: Install | |||
| # Skip post-install to avoid malicious scripts stealing PAT | |||
There was a problem hiding this comment.
The comment about skipping post-install scripts to avoid stealing a "PAT" is a bit misleading/inaccurate: this step sets NODE_AUTH_TOKEN from secrets.GITHUB_TOKEN (not a PAT), and lifecycle scripts are later re-enabled via the npm rebuild && npm run prepare step. Consider updating the comment to clarify that scripts are skipped only during the authenticated install step (and that the credential is GITHUB_TOKEN/auth token).
| # Skip post-install to avoid malicious scripts stealing PAT | |
| # During authenticated install, skip lifecycle scripts to reduce risk of | |
| # malicious scripts exfiltrating the GITHUB_TOKEN auth token; scripts are | |
| # re-enabled in the post-install step below. |
Summary
--ignore-script→--ignore-scriptsin CI workflows--ignore-scriptis not a valid npm flag and is silently ignored--ignore-scripts(plural) is the correct flag, per the npm install docsTest plan
🤖 Generated with Claude Code