[wp-trac] [WordPress Trac] #64543: Implement `ignore-scripts` to harden npm usage

WordPress Trac noreply at wordpress.org
Fri May 8 02:11:16 UTC 2026 

#64543: Implement `ignore-scripts` to harden npm usage
------------------------------+------------------------------
 Reporter:  johnbillion       |       Owner:  (none)
     Type:  task (blessed)    |      Status:  new
 Priority:  normal            |   Milestone:  Awaiting Review
Component:  Build/Test Tools  |     Version:
 Severity:  normal            |  Resolution:
 Keywords:                    |     Focuses:  javascript
------------------------------+------------------------------

Comment (by desrosj):

 In [changeset:"62330" 62330]:
 {{{
 #!CommitTicketReference repository="" revision="62330"
 Build/Test Tools: Remove `gutenberg:verify` script on `postinstall`.

 In [61458], a `postinstall` script was introduced that ensured the source
 code from the `gutenberg` repository was present before attempting to run
 the build script.

 The WordPress.org Hosting Tests surfaced an edge case where the
 `postinstall` script was failing when `nodevenv` is used. Because it
 serves as a wrapper for Node.js, `NPM_CONFIG_PREFIX` is set to the virual
 envirnoment directory and not the actual project source directory.

 This removes `gutenberg:verify` from `postinstall` entirely.
 `gutenberg:verify` is responsible for confirming that the `gutenberg`
 directory exists, that the commit SHA value in `gutenberg/.gutenberg-hash`
 matches `gutenberg.sha` in the `package.json` file, and it downloads a
 fresh copy if not.

 While this will result in the necessary files not being present locally
 after running `npm install`, `gutenberg:verify` is specified as the first
 task executed when the `build` and `build:dev` scripts are run. Running
 either build script has been a requirement to run WordPress locally for
 some time now, so this does not introduce a new required step. It simply
 delays when the built asset will be retrieved from the GitHub Container
 Registry when necessary.

 `postinstall` scripts should also be avoided entirely due to their
 significantly insecure nature (see #64543).

 Follow up to [61492], [61873], and [62021].

 Reviewed by jorbin.
 Merges [62321] to the 7.0.

 Props jorbin, johnbillion, desrosj.
 Fixes #64874. See #64393, #64543.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64543#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list