docs: Disable automatic npm caching to mitigate cache poisoning risks

This commit is contained in:
chiranjib-swain 2026-07-02 16:16:36 +05:30
parent 01fa5fb56a
commit 042b7c233c
2 changed files with 24 additions and 4 deletions

View File

@ -119,6 +119,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: 24 node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -217,6 +218,7 @@ jobs:
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: ${{ matrix.node }} node-version: ${{ matrix.node }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -232,6 +234,7 @@ uses: actions/setup-node@v6
with: with:
token: ${{ secrets.GH_DOTCOM_TOKEN }} token: ${{ secrets.GH_DOTCOM_TOKEN }}
node-version: 24 node-version: 24
package-manager-cache: false # Disable automatic npm caching if not required
``` ```
If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information. If the runner is not able to access github.com, any Nodejs versions requested during a workflow run must come from the runner's tool cache. See "[Setting up the tool cache on self-hosted runners without internet access](https://docs.github.com/en/enterprise-server@3.2/admin/github-actions/managing-access-to-actions-from-githubcom/setting-up-the-tool-cache-on-self-hosted-runners-without-internet-access)" for more information.

View File

@ -69,6 +69,7 @@ steps:
with: with:
node-version: '24' node-version: '24'
check-latest: true check-latest: true
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -86,6 +87,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version-file: '.nvmrc' node-version-file: '.nvmrc'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -131,6 +133,7 @@ jobs:
with: with:
node-version: '24' node-version: '24'
architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -151,6 +154,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0 node-version: '24.0.0-v8-canary' # it will install the latest v8 canary release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -166,6 +170,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24 node-version: '24-v8-canary' # it will install the latest v8 canary release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -182,6 +187,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: 'v24.0.0-v8-canary2025030537242e55ac' node-version: 'v24.0.0-v8-canary2025030537242e55ac'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -202,6 +208,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24-nightly' # it will install the latest nightly release for node 24 node-version: '24-nightly' # it will install the latest nightly release for node 24
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -218,6 +225,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0 node-version: '24.0.0-nightly' # it will install the latest nightly release for node 24.0.0
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -234,6 +242,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-nightly202505066102159fa1' node-version: '24.0.0-nightly202505066102159fa1'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -252,6 +261,7 @@ jobs:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.0.0-rc.4' node-version: '24.0.0-rc.4'
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -344,6 +354,7 @@ steps:
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: '24' node-version: '24'
package-manager-cache: false # Disable automatic npm caching if not required
- name: Normalize runner architecture - name: Normalize runner architecture
shell: bash shell: bash
@ -404,6 +415,7 @@ jobs:
with: with:
node-version: ${{ matrix.node_version }} node-version: ${{ matrix.node_version }}
architecture: ${{ matrix.architecture }} architecture: ${{ matrix.architecture }}
package-manager-cache: false # Disable automatic npm caching if not required
- run: npm ci - run: npm ci
- run: npm test - run: npm test
``` ```
@ -416,7 +428,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci - run: npm ci
- run: npm publish - run: npm publish
env: env:
@ -424,7 +436,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
registry-url: 'https://npm.pkg.github.com' registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm publish - run: npm publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -438,6 +450,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: <registry url> registry-url: <registry url>
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn install --frozen-lockfile - run: yarn install --frozen-lockfile
- run: yarn publish - run: yarn publish
env: env:
@ -445,6 +458,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
registry-url: 'https://npm.pkg.github.com' registry-url: 'https://npm.pkg.github.com'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: yarn publish - run: yarn publish
env: env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -458,6 +472,7 @@ steps:
with: with:
node-version: '24.x' node-version: '24.x'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
# Skip post-install scripts here, as a malicious # Skip post-install scripts here, as a malicious
# script could steal NODE_AUTH_TOKEN. # script could steal NODE_AUTH_TOKEN.
- run: npm ci --ignore-scripts - run: npm ci --ignore-scripts
@ -477,6 +492,7 @@ steps:
- uses: actions/setup-node@v6 - uses: actions/setup-node@v6
with: with:
node-version: '24.x' node-version: '24.x'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- name: Setup .yarnrc.yml - name: Setup .yarnrc.yml
run: | run: |
yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com" yarn config set npmScopes.my-org.npmRegistryServer "https://npm.pkg.github.com"
@ -507,7 +523,7 @@ Trusted publishing requires a compatible npm version:
You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used). You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).
> **Note**: Set `package-manager-cache: false` in publishing workflows because automatic npm caching can activate even without the `cache:` input, and a poisoned cache may expose credentials (including OIDC tokens) to attacker-controlled code. > **Note**: In publishing workflows, set `package-manager-cache: false` because setup-node enables npm caching automatically when `package.json` specifies npm via `packageManager` or `devEngines.packageManager` (see [Running without a lockfile](#running-without-a-lockfile)), and a poisoned cache may expose credentials (including OIDC tokens) to attacker-controlled code.
### Example workflow ### Example workflow
@ -523,7 +539,7 @@ You must also configure a **Trusted Publisher** in npm for your package/scope th
with: with:
node-version: '24' node-version: '24'
registry-url: 'https://registry.npmjs.org' registry-url: 'https://registry.npmjs.org'
package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk package-manager-cache: false # Disable automatic npm dependency caching to reduce cache poisoning risk
- run: npm ci - run: npm ci
- run: npm run build --if-present - run: npm run build --if-present
@ -547,4 +563,5 @@ The token will be passed in the `Authorization` header.
node-version: '24.x' node-version: '24.x'
mirror: 'https://nodejs.org/dist' mirror: 'https://nodejs.org/dist'
mirror-token: 'your-mirror-token' mirror-token: 'your-mirror-token'
cache-package-manager: false # Disable automatic npm caching if not required
``` ```