Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

fullstack ruleP1universalStack: general

supply-chaindependenciesinstall-scriptspostinstallowasp-a06rce

Disable arbitrary install lifecycle scripts and allow them per-package

Block postinstall/preinstall scripts by default (ignore-scripts or pnpm's allowlist) so a compromised transitive package cannot run arbitrary code on install.

PR: owasp-security-canonCreated: Jun 17, 2026

Bad example

Old codejson

1	`// .npmrc (nothing set) → every dependency's postinstall runs with your privileges`
2	`// A typosquatted or hijacked transitive package ships:`
3	`// "scripts": { "postinstall": "node steal-env-and-ssh-keys.js" }`
4	// which executes during `pnpm install` before you ever import it.

Explanation (EN)

By default npm/pnpm run every dependency's preinstall/install/postinstall scripts. A single hijacked transitive package can exfiltrate env vars, tokens, and SSH keys at install time — no `import` of the package is ever required. This is the dominant npm supply-chain attack pattern.

Objašnjenje (HR)

Po defaultu npm/pnpm pokrecu preinstall/install/postinstall skripte svake ovisnosti. Jedan oteti tranzitivni paket moze ekstraktirati env varijable, tokene i SSH kljuceve pri instalaciji — `import` paketa nikad nije potreban. To je dominantan obrazac npm supply-chain napada.

Good example

New codejson

1	`# .npmrc — block scripts globally`
2	`ignore-scripts=true`
3
4	`# pnpm: allow only packages that legitimately need a build/postinstall step`
5	`# package.json`
6	`{`
7	`"pnpm": {`
8	`"onlyBuiltDependencies": ["esbuild", "@startsiden/charting_library"]`
9	`}`
10	`}`
11
12	`# Your own first-party postinstall stays explicit & reviewed:`
13	`# "postinstall": "node scripts/copyChartingLibrary.mjs"`

Explanation (EN)

Blocking scripts by default and explicitly allow-listing the handful of packages that need native builds means a newly hijacked transitive dependency cannot execute code at install. Your own first-party postinstall is reviewed in your repo, not pulled blindly from the registry.

Objašnjenje (HR)

Blokiranje skripti po defaultu i eksplicitno dopustanje samo nekolicine paketa kojima trebaju nativni buildovi znaci da tek oteta tranzitivna ovisnost ne moze izvrsiti kod pri instalaciji. Tvoj vlastiti postinstall pregledan je u tvom repou, ne povucen naslijepo iz registryja.

Exceptions / Tradeoffs (EN)

Some packages (esbuild, sharp, native addons) legitimately need a build step — allowlist those explicitly via pnpm onlyBuiltDependencies or run an audited install. First-party scripts in your own package.json are fine since they are version-controlled and reviewed.

Iznimke / Tradeoffi (HR)

Neki paketi (esbuild, sharp, nativni dodaci) legitimno trebaju build korak — njih eksplicitno dopusti preko pnpm onlyBuiltDependencies ili pokreni revidiranu instalaciju. Vlastite skripte u tvom package.json su u redu jer su pod verzijskom kontrolom i pregledane.

Login required