chore: harden npm supply chain controls (#11157)

This commit is contained in:
Alan Buscaglia
2026-05-13 17:30:25 +02:00
committed by GitHub
parent 4dd5baadf6
commit 0b4393776c
12 changed files with 58 additions and 25 deletions
+1
View File
@@ -36,6 +36,7 @@ Please add a detailed description of how to review this PR.
#### UI
- [ ] All issue/task requirements work as expected on the UI
- [ ] If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
- [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
- [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
- [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
+4
View File
@@ -132,6 +132,10 @@ jobs:
if: steps.check-changes.outputs.any_changed == 'true'
run: pnpm run healthcheck
- name: Run pnpm audit
if: steps.check-changes.outputs.any_changed == 'true'
run: pnpm run audit
- name: Run unit tests (all - critical paths changed)
if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed == 'true'
run: |
+2 -2
View File
@@ -10,10 +10,10 @@ This repository contains the Prowler Open Source documentation powered by [Mintl
## Local Development
Install the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally:
Install a reviewed version of the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally:
```bash
npm i -g mint
npm install --global mint@4.2.560
```
Run the following command at the root of your documentation (where `mint.json` is located):
+1 -1
View File
@@ -28,7 +28,7 @@ This includes the [AGENTS.md](https://github.com/prowler-cloud/prowler/blob/mast
<Steps>
<Step title="Install Mintlify CLI">
```bash
npm i -g mint
npm install --global mint@4.2.560
```
For detailed instructions, check the [Mintlify documentation](https://www.mintlify.com/docs/installation).
</Step>
@@ -44,13 +44,21 @@ Choose the configuration based on your deployment:
<Tab title="Generic without Native HTTP Support">
**Configuration:**
<Warning>
Avoid configuring MCP clients to run `npx mcp-remote` directly. `npx` can download and execute a new package version on each run. Install a reviewed version of `mcp-remote` in a dedicated local workspace, then point the MCP client to the installed binary.
</Warning>
```bash
mkdir -p ~/.local/share/prowler-mcp-bridge
cd ~/.local/share/prowler-mcp-bridge
npm init -y
npm install --save-exact mcp-remote@0.1.38
```
```json
{
"mcpServers": {
"prowler": {
"command": "npx",
"command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
"args": [
"mcp-remote",
"https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL
"--header",
"Authorization: Bearer ${PROWLER_APP_API_KEY}"
@@ -72,14 +80,20 @@ Choose the configuration based on your deployment:
2. Go to "Developer" tab
3. Click in "Edit Config" button
4. Edit the `claude_desktop_config.json` file with your favorite editor
5. Add the following configuration:
5. Install a reviewed version of `mcp-remote` in a dedicated local workspace:
```bash
mkdir -p ~/.local/share/prowler-mcp-bridge
cd ~/.local/share/prowler-mcp-bridge
npm init -y
npm install --save-exact mcp-remote@0.1.38
```
6. Add the following configuration:
```json
{
"mcpServers": {
"prowler": {
"command": "npx",
"command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
"args": [
"mcp-remote",
"https://mcp.prowler.com/mcp",
"--header",
"Authorization: Bearer ${PROWLER_APP_API_KEY}"
@@ -38,7 +38,7 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
- `git` installed.
- `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
- `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
- `pnpm` installed through [Corepack](https://pnpm.io/installation#using-corepack) or the standalone [pnpm installation](https://pnpm.io/installation).
- `Docker Compose` installed: https://docs.docker.com/compose/install/.
<Warning>
@@ -97,9 +97,11 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
```bash
git clone https://github.com/prowler-cloud/prowler \
cd prowler/ui \
npm install \
npm run build \
npm start
corepack enable \
corepack install \
pnpm install --frozen-lockfile \
pnpm run build \
pnpm start
```
> Enjoy Prowler App at http://localhost:3000 by signing up with your email and password.
@@ -22,7 +22,7 @@ Install promptfoo using one of the following methods:
**Using npm:**
```bash
npm install -g promptfoo
npm install --global promptfoo@0.121.11
```
**Using Homebrew (macOS):**
+10 -2
View File
@@ -56,13 +56,21 @@ Prowler MCP Server can be used in three ways:
- Managed and maintained by Prowler team
- Always up-to-date
Install a reviewed version of `mcp-remote` in a dedicated local workspace first. Avoid running `npx mcp-remote` directly because it can download and execute a new package version on each run.
```bash
mkdir -p ~/.local/share/prowler-mcp-bridge
cd ~/.local/share/prowler-mcp-bridge
npm init -y
npm install --save-exact mcp-remote@0.1.38
```
```json
{
"mcpServers": {
"prowler": {
"command": "npx",
"command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
"args": [
"mcp-remote",
"https://mcp.prowler.com/mcp",
"--header",
"Authorization: Bearer pk_YOUR_API_KEY_HERE"
+1
View File
@@ -226,5 +226,6 @@ pnpm run test:e2e:ui
- [ ] Relevant E2E tests pass
- [ ] All UI states handled (loading, error, empty)
- [ ] No secrets in code (use `.env.local`)
- [ ] New npm dependencies include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and a rationale for not using existing/native alternatives.
- [ ] Error messages sanitized
- [ ] Server-side validation present
+2 -2
View File
@@ -109,10 +109,10 @@ export function MyComponent() {
## Adding New shadcn Components
When adding new shadcn components using the CLI:
When adding new shadcn components using the CLI, pin the reviewed CLI version instead of using `@latest`:
```bash
npx shadcn@latest add [component-name]
pnpm dlx shadcn@4.7.0 add [component-name]
```
The component will be automatically added to this directory due to the configuration in `components.json`:
+2
View File
@@ -28,6 +28,8 @@
"test:e2e:headed": "playwright test --project=auth --project=sign-up --project=providers --project=invitations --project=scans --headed",
"test:e2e:report": "playwright show-report",
"test:e2e:install": "playwright install",
"audit": "pnpm audit --audit-level critical",
"audit:high": "pnpm audit --audit-level high",
"audit:fix": "pnpm audit fix"
},
"dependencies": {
+9 -8
View File
@@ -14,20 +14,21 @@ minimumReleaseAge: 1440
# --- Level 2: Explicit Build Script Allow-list ---
# Only these packages may run install/postinstall lifecycle scripts.
# Any unlisted package with lifecycle scripts will have them silently skipped.
onlyBuiltDependencies:
# Any unlisted package with lifecycle scripts fails the install.
strictDepBuilds: true
allowBuilds:
# sharp: Native image processing (libvips). Installs platform-specific pre-built binary or compiles from source.
- sharp
sharp: true
# @sentry/cli: Downloads the sentry-cli native binary for the current platform. Validates integrity via SHA256.
- "@sentry/cli"
"@sentry/cli": true
# esbuild: Go binary. Downloads the pre-compiled binary matching the current platform/architecture.
- esbuild
esbuild: true
# @heroui/shared-utils: Demi pattern — detects React/Next.js version at install time and copies the compatible bundle (React 18 vs 19).
- "@heroui/shared-utils"
"@heroui/shared-utils": true
# unrs-resolver: Rust module resolver (NAPI-RS). Verifies the correct native binding is available for the platform.
- unrs-resolver
unrs-resolver: true
# msw: Copies mockServiceWorker.js into the directories listed in package.json's `msw.workerDirectory` (here: `public/`) so the runtime worker stays in sync with the installed msw version. Pure file copy — no native binary, no network access. Required for vitest browser tests to intercept fetches via the service worker.
- msw
msw: true
# --- Level 3: Trust Policy + Exotic Subdeps ---
# Fail when a package's trust evidence is downgraded (e.g., new publisher).