From 32be517565edf50d1d5964d168a4acf4c0ed235c Mon Sep 17 00:00:00 2001
From: Shuchang Zheng <wintonzheng0325@gmail.com>
Date: Wed, 22 Apr 2026 15:56:36 -0700
Subject: [PATCH] chore(security): add .npmrc ignore-scripts to remaining npm
 workspaces (#5603)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 skyvern-frontend/.npmrc         | 5 +++++
 skyvern-ts/client/.npmrc        | 5 +++++
 tests/sdk/typescript_sdk/.npmrc | 5 +++++
 3 files changed, 15 insertions(+)
 create mode 100644 skyvern-frontend/.npmrc
 create mode 100644 skyvern-ts/client/.npmrc
 create mode 100644 tests/sdk/typescript_sdk/.npmrc

diff --git a/skyvern-frontend/.npmrc b/skyvern-frontend/.npmrc
new file mode 100644
index 000000000..5c429893e
--- /dev/null
+++ b/skyvern-frontend/.npmrc
@@ -0,0 +1,5 @@
+# Supply chain protection: do not run lifecycle scripts (preinstall, install,
+# postinstall) on npm install. Blocks worms like "Shai-Hulud" from executing
+# on a compromised dependency before we notice. If a package genuinely needs
+# its install script, use @lavamoat/allow-scripts to allowlist it.
+ignore-scripts=true
diff --git a/skyvern-ts/client/.npmrc b/skyvern-ts/client/.npmrc
new file mode 100644
index 000000000..5c429893e
--- /dev/null
+++ b/skyvern-ts/client/.npmrc
@@ -0,0 +1,5 @@
+# Supply chain protection: do not run lifecycle scripts (preinstall, install,
+# postinstall) on npm install. Blocks worms like "Shai-Hulud" from executing
+# on a compromised dependency before we notice. If a package genuinely needs
+# its install script, use @lavamoat/allow-scripts to allowlist it.
+ignore-scripts=true
diff --git a/tests/sdk/typescript_sdk/.npmrc b/tests/sdk/typescript_sdk/.npmrc
new file mode 100644
index 000000000..5c429893e
--- /dev/null
+++ b/tests/sdk/typescript_sdk/.npmrc
@@ -0,0 +1,5 @@
+# Supply chain protection: do not run lifecycle scripts (preinstall, install,
+# postinstall) on npm install. Blocks worms like "Shai-Hulud" from executing
+# on a compromised dependency before we notice. If a package genuinely needs
+# its install script, use @lavamoat/allow-scripts to allowlist it.
+ignore-scripts=true