Dear list members,
two additions to my last email:
1. Accordion to OWASP[1] the --ignore-scripts flag should be appended as well.
Full command:
npm install --omit=dev --ignore-scripts
2. Target release for this change will be ILIAS 9, ILIAS <= 8 will NOT be affected.
Best regards, Michael
on behalf of the ILIAS e.V. and the Technical Board
[1] https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
Am 08.03.2023 10:00, schrieb mjansen:
Dear list members,
in addition to the discussion and public announcement in the ILIAS JourFixe[1] of 06. Mar 2023, we also push the information onto this channel that the 'npm'[2] dependencies and thus the 'node_modules' folder will be removed from the ILIAS codebase in Git with the integration of PR 5128[3].
All 'npm' dependencies will still be automatically added to the release builds (linked on the official ILIAS release pages) on GitHub[4]. While applying this change we will take the chance to also remove unneeded directories (like test folders) and files from the zip and tar files.
With this change 'npm' will become a requirement for ILIAS installations based on Git branches/tags. To install the 'npm' dependencies on such installations, you'll have to execute:
npm install --omit=dev
The --omit=dev flag can be ignored for development installations.
If you have any further questions, don't hesitate to contact us (e.g. on Discord).
Best regards, Michael
on behalf of the ILIAS e.V. and the Technical Board
[1] https://docu.ilias.de/goto_docu_wiki_wpage_7783_1357.html [2] https://github.com/ILIAS-eLearning/ILIAS/blob/trunk/docs/development/js/thir... [3] https://github.com/ILIAS-eLearning/ILIAS/pull/5128 [4] https://github.com/ILIAS-eLearning/ILIAS/releases