fix(npm): Run npm install with —ignore-scripts

2bd45228 · Rhys Arkins · cd762c7b · 2bd45228 · 2bd45228
Commit 2bd45228 authored 7 years ago by Rhys Arkins
--- a/lib/workers/branch/index.js
+++ b/lib/workers/branch/index.js
@@ -68,7 +68,6 @@ async function ensureBranch(config) {

  const commitMessage = handlebars.compile(config.commitMessage)(config);
  const api = config.api;
-  const versions = config.versions;
  const cacheFolder = config.yarnCacheFolder;
  const packageFiles = {};
  const commitFiles = [];
@@ -144,7 +143,7 @@ async function ensureBranch(config) {
          packageFiles[packageFile],
          api,
          config.versions.npm,
-          versions.npm
+          logger
        );
        if (packageLockFile) {
          // Add new package-lock.json file too

--- a/lib/workers/branch/npm.js
+++ b/lib/workers/branch/npm.js
-const logger = require('../../logger');
 const fs = require('fs');
 const cp = require('child_process');
 const tmp = require('tmp');
 const path = require('path');

+let logger = require('../../logger');
+
 module.exports = {
  generateLockFile,
  getLockFile,
@@ -20,12 +21,14 @@ async function generateLockFile(newPackageJson, npmrcContent) {
      fs.writeFileSync(path.join(tmpDir.name, '.npmrc'), npmrcContent);
    }
    logger.debug('Spawning npm install');
-    const result = cp.spawnSync('npm', ['install'], {
+    const result = cp.spawnSync('npm', ['install', '--ignore-scripts'], {
      cwd: tmpDir.name,
      shell: true,
    });
-    logger.debug(String(result.stdout));
-    logger.debug(String(result.stderr));
+    logger.debug(
+      { stdout: String(result.stdout), stderr: String(result.stderr) },
+      'npm install complete'
+    );
    packageLock = fs.readFileSync(path.join(tmpDir.name, 'package-lock.json'));
  } catch (error) /* istanbul ignore next */ {
    try {
@@ -43,7 +46,14 @@ async function generateLockFile(newPackageJson, npmrcContent) {
  return packageLock;
 }

-async function getLockFile(packageFile, packageContent, api, npmVersion) {
+async function getLockFile(
+  packageFile,
+  packageContent,
+  api,
+  npmVersion,
+  parentLogger
+) {
+  logger = parentLogger || logger;
  // Detect if a package-lock.json file is in use
  const packageLockFileName = path.join(
    path.dirname(packageFile),
@@ -78,6 +88,7 @@ async function getLockFile(packageFile, packageContent, api, npmVersion) {
 }

 async function maintainLockFile(inputConfig) {
+  logger = inputConfig.logger || logger;
  logger.trace({ config: inputConfig }, `maintainLockFile`);
  const packageContent = await inputConfig.api.getFileContent(
    inputConfig.packageFile