[6.x] Prevent npm packages from executing malicious code via postinstall (#14417)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Jason Varga <jason@pixelfear.com>

Author: 3 people

src/Console/Commands/Concerns/MakesVueComponents.php

@@ -81,7 +81,7 @@ private function wireUpAddonJs(string $addon): void
 
         $this->files->makeDirectory($addonPath.'/resources/dist', 0777, true, true);
 
-        Process::path(base_path())->run('npm install', function (string $type, string $buffer) {
+        Process::path(base_path())->run('npm install --ignore-scripts', function (string $type, string $buffer) {
             echo $buffer;
         });
 

src/Console/Commands/SetupCpVite.php

@@ -63,14 +63,14 @@ private function installDependencies(): self
 
                 File::put($packageJsonPath, json_encode($contents, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
 
-                return Process::path(base_path())->run('npm install');
+                return Process::path(base_path())->run('npm install --ignore-scripts');
             },
             message: 'Installing dependencies...'
         );
 
         if ($result->failed()) {
             $this->line($result->errorOutput() ?: $result->output());
-            $this->components->error('Failed to install dependencies. You need to run "npm install" manually.');
+            $this->components->error('Failed to install dependencies. You need to run "npm install --ignore-scripts" manually.');
 
             return $this;
         }

tests/Console/Commands/MakeFieldtypeTest.php

@@ -102,7 +102,7 @@ public function boot(): void
             ->artisan('statamic:make:fieldtype', ['name' => 'KnightRider'])
             ->expectsQuestion("It doesn't look like Vite is setup for the Control Panel. Would you like to run `php please setup-cp-vite`?", true);
 
-        Process::assertRan('npm install');
+        Process::assertRan('npm install --ignore-scripts');
 
         $this->assertFileExists($fieldtype = base_path('app/Fieldtypes/KnightRider.php'));
         $this->assertStringContainsString('namespace App\Fieldtypes;', $this->files->get($fieldtype));
@@ -167,7 +167,7 @@ public function it_can_make_a_fieldtype_into_an_addon()
 
         $this->artisan('statamic:make:fieldtype', ['name' => 'Yoda', 'addon' => 'yoda/bag-odah']);
 
-        Process::assertRan('npm install');
+        Process::assertRan('npm install --ignore-scripts');
 
         $this->assertFileExists($fieldtype);
         $this->assertStringContainsString('namespace Yoda\BagOdah\Fieldtypes;', $this->files->get($fieldtype));

tests/Console/Commands/MakeWidgetTest.php

@@ -111,7 +111,7 @@ public function boot(): void
             ->artisan('statamic:make:widget', ['name' => 'Sloth'])
             ->expectsQuestion("It doesn't look like Vite is setup for the Control Panel. Would you like to run `php please setup-cp-vite`?", true);
 
-        Process::assertRan('npm install');
+        Process::assertRan('npm install --ignore-scripts');
 
         $this->assertFileExists($widget);
         $this->assertStringContainsString('namespace App\Widgets;', $this->files->get($widget));

tests/Console/Commands/SetupCpViteTest.php

@@ -50,7 +50,7 @@ public function it_installs_dependencies()
             ->artisan('statamic:setup-cp-vite')
             ->expectsOutputToContain('Installed dependencies');
 
-        Process::assertRan('npm install');
+        Process::assertRan('npm install --ignore-scripts');
 
         $this->assertStringContainsString(<<<'JSON'
     "dependencies": {