Compare commits

...

1 Commits

Author SHA1 Message Date
Tommy Verrall 55a0f80d73 Feat: implement supply chain attack mitigation
- Add yarn resolutions for vulnerable packages (chalk, strip-ansi, color-convert, etc.)
- Add .npmrc and .nvmrc security configurations
2025-09-10 18:51:38 +02:00
6 changed files with 3408 additions and 3100 deletions
+58
View File
@@ -0,0 +1,58 @@
# Security and sensitive files
.env*
*.key
*.pem
*.p12
*.pfx
secrets/
private/
config/secrets/
# Development files
node_modules/
.npm/
.npmrc
.nvmrc
*.log
*.tmp
.DS_Store
Thumbs.db
# Build artifacts
dist/
build/
target/
*.tgz
*.tar.gz
# IDE files
.vscode/
.idea/
*.swp
*.swo
*~
# Test files
test/
tests/
__tests__/
*.test.js
*.test.ts
*.spec.js
*.spec.ts
# Documentation
docs/
*.md
!README.md
# CI/CD files
.github/
.gitlab-ci.yml
.travis.yml
.circleci/
azure-pipelines.yml
# Scripts
scripts/
!scripts/security-check.sh
+21
View File
@@ -0,0 +1,21 @@
audit-level=moderate
fund=false
update-notifier=false
ignore-scripts=false
strict-ssl=true
registry=https://registry.npmjs.org/
audit=true
package-lock=true
package-lock-only=false
save-exact=false
# use npm ci for production builds (faster and more secure)
# this will be enforced in CI/CD scripts
# prevent installation of optional dependencies that might contain vulnerabilities
optional=false
audit=true
update-notifier=false
save-exact=false
+1
View File
@@ -0,0 +1 @@
20.18.0
+17 -2
View File
@@ -45,7 +45,15 @@
"types:lint:fix": "lerna run lint:fix --scope @nymproject/types --scope @nymproject/nym-wallet-app",
"audit:fix": "npm_config_yes=true npx yarn-audit-fix -- --dry-run",
"dev:on": "node sdk/typescript/scripts/dev-mode-add.mjs",
"dev:off": "node sdk/typescript/scripts/dev-mode-remove.mjs"
"dev:off": "node sdk/typescript/scripts/dev-mode-remove.mjs",
"security:audit": "yarn audit --level moderate",
"security:audit:fix": "yarn audit --fix",
"security:audit:ci": "yarn install --frozen-lockfile && yarn audit --level moderate",
"security:check": "yarn audit --level high && yarn list --depth=0",
"security:outdated": "yarn outdated",
"security:verify": "yarn audit --level moderate && yarn list --depth=0 && yarn outdated",
"security:full": "./scripts/security-check.sh",
"security:ci": "yarn install --frozen-lockfile && ./scripts/security-check.sh"
},
"devDependencies": {
"@npmcli/node-gyp": "^3.0.0",
@@ -62,6 +70,13 @@
"@cosmjs/proto-signing": "^0.32.4",
"@cosmjs/stargate": "^0.32.4",
"@cosmjs/cosmwasm-stargate": "^0.32.4",
"cosmjs-types": "^0.9.0"
"cosmjs-types": "^0.9.0",
"chalk": "5.3.0",
"strip-ansi": "7.1.0",
"color-convert": "2.0.1",
"color-name": "1.1.4",
"is-core-module": "2.13.1",
"error-ex": "1.3.2",
"has-ansi": "5.0.1"
}
}
+54
View File
@@ -0,0 +1,54 @@
#!/bin/bash
set -e
echo "starting security checks..."
if [ ! -f "package.json" ]; then
echo "error: package.json not found, please run this script from the project root."
exit 1
fi
echo "checking Node.js version..."
if [ -f ".nvmrc" ]; then
REQUIRED_NODE_VERSION=$(cat .nvmrc)
CURRENT_NODE_VERSION=$(node --version | sed 's/v//')
echo "required Node.js version: $REQUIRED_NODE_VERSION"
echo "current Node.js version: $CURRENT_NODE_VERSION"
if [ "$CURRENT_NODE_VERSION" != "$REQUIRED_NODE_VERSION" ]; then
echo "warning: Node.js version mismatch, consider using nvm to switch to the required version."
fi
fi
echo "checking .npmrc configuration..."
if [ ! -f ".npmrc" ]; then
echo "Error: .npmrc file not found, security configurations are missing."
exit 1
fi
echo "checking yarn.lock..."
if [ ! -f "yarn.lock" ]; then
echo "error: yarn.lock not found, run 'yarn install' to generate it."
exit 1
fi
echo "running yarn audit..."
yarn audit --level moderate
echo "checking for outdated packages..."
yarn outdated || true
echo "verifying package integrity..."
yarn list --depth=0
echo "checking for known vulnerable packages..."
yarn audit --level high
echo "checking package sources..."
yarn list --depth=0 --json | jq -r '.data.trees[] | select(.children) | .children[] | select(.name | test("^https?://(?!registry\\.npmjs\\.org)")) | .name' || true
echo "checks completed successfully!"
echo ""
echo "always use 'yarn install --frozen-lockfile' in production environments"
+3257 -3098
View File
File diff suppressed because it is too large Load Diff