sbp commented on issue #359: URL: https://github.com/apache/tooling-trusted-releases/issues/359#issuecomment-3657562796
Commit ffc0c99eee142e21fe73b927dab96041cfd6189c (followed by c03cb18d4e3d10b66bbc591d23121b694f348bba and 09296299e0b44c8a11abb5f721d36036f11256f4) incorporates some suggestions to improve our Bootstrap build process: * Runs the whole process in an Alpine OCI container for weak isolation * Runs as a specific regular build user * Separates the process into (1) version pinning and (2) building from pinned versions * Disables lifecycle scripts entirely in npm * Ensures that versions are properly pinned using `save-exact` and `save-prefix` * Runs npm audits immediately after installation, before anything is executed * Sets a package cooldown of 14 days Some or all of these components could be adopted as our baseline for installing JS packages if we need them for other reasons. We are continuing to use npm, and BAT is already using some similar yarn equivalents. Hopefully npm will have a `minimumReleaseAge` option soon, but it may be a while before that version lands in Alpine. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
