readme updates
This commit is contained in:
parent
14562f70c4
commit
92a14d504b
16
README.md
16
README.md
|
@ -1,18 +1,22 @@
|
|||
This is a [Next.js](https://nextjs.org/) project bootstrapped with [`create-next-app`](https://github.com/vercel/next.js/tree/canary/packages/create-next-app).
|
||||
|
||||
## Working with dependencies
|
||||
Whenever you change dependencies (adding, removing, or updating), there are various files that must be kept up-to-date. Newly added, or updated dependencies, can introduce unwanted scripts that runs unknowingly, that could introduce risks for users and/or developers. The `lavamoat allow-scripts` feature allows us to control this with a zero trust approach, but adds some additional steps to the usual workflow.
|
||||
|
||||
When updating dependencies, there are various files that must be kept up-to-date. Newly added, or updated dependencies can introduce unwanted/malicious scripts that can introduce risks for users and/or developers. The `lavamoat allow-scripts` feature allows us to deny by default, but adds some additional steps to the usual workflow.
|
||||
|
||||
`yarn.lock`:
|
||||
- Instead of running `yarn` or `yarn install`, run `yarn setup` to ensure the `yarn.lock` file is in sync and that the dependency scripts are run according to the `allow-script` policy (set in `packages.json`)
|
||||
|
||||
The `allow-scripts` configuration in `package.json`:
|
||||
- Run `yarn allow-scripts auto` to update the `allow-scripts` configuration automatically. This config determines whether the package's install/postinstall scripts are allowed to run.
|
||||
- Alternatively update the allow-scripts section manually.
|
||||
- Instead of running `yarn` or `yarn install`, run `yarn setup` to ensure the `yarn.lock` file is in sync and that dependency scripts are run according to the `allowScripts` policy (set in `packages.json`)
|
||||
- If `lavamoat` detects new scripts that are not explicitely allowed/denied, it'll throw and error with details (see below)
|
||||
|
||||
The `allowScripts` configuration in `package.json`:
|
||||
|
||||
- There are two ways to configure script policies:
|
||||
⋅⋅* Update the allow-scripts section manually by adding the missing package in the `allowScripts` section in `package.json`
|
||||
⋅⋅* Run `yarn allow-scripts auto` to update the `allowScripts` configuration automatically
|
||||
- Review each new package to determine whether the install script needs to run or not, testing if necessary.
|
||||
- Use `npx can-i-ignore-scripts` to help assessing whether scripts are needed
|
||||
|
||||
|
||||
## Getting Started
|
||||
|
||||
First, run the development server:
|
||||
|
|
Loading…
Reference in New Issue