ci - install deps - limit install scripts to whitelist (#7208)

* ci - install deps - limit install scripts to those needed for build * Update .circleci/scripts/deps-install.sh Co-Authored-By: Mark Stacey <markjstacey@gmail.com> * ci - install deps - expand install scripts needed for tests * ci - install deps - expand install scripts needed for integration tests * ci - install deps - fix node-sass script ref * github - set codeowners for scripts/deps-install * development - add utility to show deps with install scripts * lint fix * deps - move read-installed to devDeps
2024-11-25 03:20:23 +01:00 · 2019-09-25 20:01:10 +08:00 · 2019-09-25 20:01:10 +08:00 · e1efb4d7ac
commit e1efb4d7ac
parent 1bd22b58c0
6 changed files with 119 additions and 4 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -95,7 +95,7 @@ jobs:
      - run:
          name: Install deps
          command: |
-           yarn --frozen-lockfile --har
+            .circleci/scripts/deps-install.sh
      - run:
          name: Collect yarn install HAR logs
          command: |
--- a/.circleci/scripts/deps-install.sh
+++ b/.circleci/scripts/deps-install.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -x
+
+yarn --frozen-lockfile --ignore-scripts --har
+
+# run each in subshell so directory change does not persist
+# scripts can be any of:
+#   preinstall
+#   install
+#   postinstall
+
+# for build
+(cd node_modules/node-sass && yarn run postinstall)
+(cd node_modules/optipng-bin && yarn run postinstall)
+(cd node_modules/gifsicle && yarn run postinstall)
+(cd node_modules/jpegtran-bin && yarn run postinstall)
+
+# for test
+(cd node_modules/scrypt && yarn run install)
+(cd node_modules/weak && yarn run install)
+(cd node_modules/chromedriver && yarn run install)
+(cd node_modules/geckodriver && yarn run postinstall)
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -5,4 +5,4 @@ package.json                         @danjm @whymarrh @Gudahtt
 yarn.lock                            @danjm @whymarrh @Gudahtt
 ui/                                  @danjm @whymarrh @Gudahtt
 app/scripts/controllers/transactions @frankiebee
-
+.circleci/scripts/deps-install.sh    @kumavis @Gudahtt
--- a/development/show-deps-install-scripts.js
+++ b/development/show-deps-install-scripts.js
@ -0,0 +1,28 @@
+// This script lists all dependencies that have package install scripts
+const path = require('path')
+const readInstalled = require('read-installed')
+
+const installScripts = ['preinstall', 'install', 'postinstall']
+
+readInstalled('./', { dev: true }, function (err, data) {
+  if (err) throw err
+
+  const deps = data.dependencies
+  Object.entries(deps).forEach(([packageName, packageData]) => {
+    const packageScripts = packageData.scripts || {}
+    const scriptKeys = Reflect.ownKeys(packageScripts)
+
+    const hasInstallScript = installScripts.some(installKey => scriptKeys.includes(installKey))
+    if (!hasInstallScript) return
+
+    const matchingScripts = {}
+    if (packageScripts.preinstall) matchingScripts.preinstall = packageScripts.preinstall
+    if (packageScripts.install) matchingScripts.install = packageScripts.install
+    if (packageScripts.postinstall) matchingScripts.postinstall = packageScripts.postinstall
+    const scriptNames = Reflect.ownKeys(matchingScripts)
+
+    const relativePath = path.relative(process.cwd(), packageData.path)
+
+    console.log(`${packageName}: ${relativePath} ${scriptNames}`)
+  })
+})
--- a/package.json
+++ b/package.json
@ -202,6 +202,7 @@
    "css-loader": "^2.1.1",
    "deep-freeze-strict": "^1.1.1",
    "del": "^3.0.0",
+    "read-installed": "^4.0.3",
    "deps-dump": "^1.1.0",
    "envify": "^4.0.0",
    "enzyme": "^3.4.4",
--- a/yarn.lock
+++ b/yarn.lock
@ -3650,7 +3650,7 @@ arrify@^1.0.0, arrify@^1.0.1:
  resolved "https://registry.yarnpkg.com/arrify/-/arrify-1.0.1.tgz#898508da2226f380df904728456849c1501a4b0d"
  integrity sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0=

-asap@^2.0.6, asap@~2.0.3:
+asap@^2.0.0, asap@^2.0.6, asap@~2.0.3:
  version "2.0.6"
  resolved "https://registry.yarnpkg.com/asap/-/asap-2.0.6.tgz#e50347611d7e690943208bbdafebcbc2fb866d46"
  integrity sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY=
@ -7887,6 +7887,11 @@ debug@^4.0.0, debug@^4.0.1, debug@^4.1.0, debug@^4.1.1, debug@~4.1.0:
  dependencies:
    ms "^2.1.1"

+debuglog@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/debuglog/-/debuglog-1.0.1.tgz#aa24ffb9ac3df9a2351837cfb2d279360cd78492"
+  integrity sha1-qiT/uaw9+aI1GDfPstJ5NgzXhJI=
+
 decamelize-keys@^1.0.0:
  version "1.1.0"
  resolved "https://registry.yarnpkg.com/decamelize-keys/-/decamelize-keys-1.1.0.tgz#d171a87933252807eb3cb61dc1c1445d078df2d9"
@ -8323,6 +8328,14 @@ detectrtc@^1.3.6:
  resolved "https://registry.yarnpkg.com/detectrtc/-/detectrtc-1.3.6.tgz#dabc0353981a3da7732de969071c08b6dddd5b59"
  integrity sha1-2rwDU5gaPadzLelpBxwItt3dW1k=

+dezalgo@^1.0.0:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/dezalgo/-/dezalgo-1.0.3.tgz#7f742de066fc748bc8db820569dddce49bf0d456"
+  integrity sha1-f3Qt4Gb8dIvI24IFad3c5Jvw1FY=
+  dependencies:
+    asap "^2.0.0"
+    wrappy "1"
+
 di@^0.0.1:
  version "0.0.1"
  resolved "https://registry.yarnpkg.com/di/-/di-0.0.1.tgz#806649326ceaa7caa3306d75d985ea2748ba913c"
@ -18933,6 +18946,16 @@ nopt@^4.0.1:
    abbrev "1"
    osenv "^0.1.4"

+normalize-package-data@^2.0.0:
+  version "2.5.0"
+  resolved "https://registry.yarnpkg.com/normalize-package-data/-/normalize-package-data-2.5.0.tgz#e66db1838b200c1dfc233225d12cb36520e234a8"
+  integrity sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==
+  dependencies:
+    hosted-git-info "^2.1.4"
+    resolve "^1.10.0"
+    semver "2 || 3 || 4 || 5"
+    validate-npm-package-license "^3.0.1"
+
 normalize-package-data@^2.3.2, normalize-package-data@^2.3.4:
  version "2.4.0"
  resolved "https://registry.yarnpkg.com/normalize-package-data/-/normalize-package-data-2.4.0.tgz#12f95a307d58352075a04907b84ac8be98ac012f"
@ -22155,6 +22178,20 @@ read-all-stream@^3.0.0:
    pinkie-promise "^2.0.0"
    readable-stream "^2.0.0"

+read-installed@^4.0.3:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/read-installed/-/read-installed-4.0.3.tgz#ff9b8b67f187d1e4c29b9feb31f6b223acd19067"
+  integrity sha1-/5uLZ/GH0eTCm5/rMfayI6zRkGc=
+  dependencies:
+    debuglog "^1.0.1"
+    read-package-json "^2.0.0"
+    readdir-scoped-modules "^1.0.0"
+    semver "2 || 3 || 4 || 5"
+    slide "~1.1.3"
+    util-extend "^1.0.1"
+  optionalDependencies:
+    graceful-fs "^4.1.2"
+
 read-only-stream@^2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/read-only-stream/-/read-only-stream-2.0.0.tgz#2724fd6a8113d73764ac288d4386270c1dbf17f0"
@ -22162,6 +22199,18 @@ read-only-stream@^2.0.0:
  dependencies:
    readable-stream "^2.0.2"

+read-package-json@^2.0.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/read-package-json/-/read-package-json-2.1.0.tgz#e3d42e6c35ea5ae820d9a03ab0c7291217fc51d5"
+  integrity sha512-KLhu8M1ZZNkMcrq1+0UJbR8Dii8KZUqB0Sha4mOx/bknfKI/fyrQVrG/YIt2UOtG667sD8+ee4EXMM91W9dC+A==
+  dependencies:
+    glob "^7.1.1"
+    json-parse-better-errors "^1.0.1"
+    normalize-package-data "^2.0.0"
+    slash "^1.0.0"
+  optionalDependencies:
+    graceful-fs "^4.1.2"
+
 read-pkg-up@^1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/read-pkg-up/-/read-pkg-up-1.0.1.tgz#9d63c13276c065918d57f002a57f40a1b643fb02"
@ -22272,6 +22321,16 @@ readable-stream@~2.0.6:
    string_decoder "~0.10.x"
    util-deprecate "~1.0.1"

+readdir-scoped-modules@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/readdir-scoped-modules/-/readdir-scoped-modules-1.1.0.tgz#8d45407b4f870a0dcaebc0e28670d18e74514309"
+  integrity sha512-asaikDeqAQg7JifRsZn1NJZXo9E+VwlyCfbkZhwyISinqk5zNS6266HS5kah6P0SaQKGF6SkNnZVHUzHFYxYDw==
+  dependencies:
+    debuglog "^1.0.1"
+    dezalgo "^1.0.0"
+    graceful-fs "^4.1.2"
+    once "^1.3.0"
+
 readdirp@^2.0.0:
  version "2.1.0"
  resolved "https://registry.yarnpkg.com/readdirp/-/readdirp-2.1.0.tgz#4ed0ad060df3073300c48440373f72d1cc642d78"
@ -24057,7 +24116,7 @@ slice-ansi@^2.1.0:
    astral-regex "^1.0.0"
    is-fullwidth-code-point "^2.0.0"

-slide@^1.1.5:
+slide@^1.1.5, slide@~1.1.3:
  version "1.1.6"
  resolved "https://registry.yarnpkg.com/slide/-/slide-1.1.6.tgz#56eb027d65b4d2dce6cb2e2d32c4d4afc9e1d707"
  integrity sha1-VusCfWW00tzmyy4tMsTUr8nh1wc=
@ -26709,6 +26768,11 @@ util-deprecate@^1.0.1, util-deprecate@^1.0.2, util-deprecate@~1.0.1:
  resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
  integrity sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=

+util-extend@^1.0.1:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/util-extend/-/util-extend-1.0.3.tgz#a7c216d267545169637b3b6edc6ca9119e2ff93f"
+  integrity sha1-p8IW0mdUUWljeztu3GypEZ4v+T8=
+
 util.promisify@1.0.0, util.promisify@~1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/util.promisify/-/util.promisify-1.0.0.tgz#440f7165a459c9a16dc145eb8e72f35687097030"