chore(dev): NPM scripts lifecycle checks (pre/post/install security),…

… see https://docs.npmjs.com/cli/v10/using-npm/scripts (note: Thorium integrates https://socket.dev )

.github/workflows/main.yml

@@ -139,7 +139,7 @@ jobs:
     - run: npm cache clean --force
     - run: npm cache verify
     - run: cat package-lock.json | grep -i divina-player-js
-    - run: npm ci
+    - run: npm ci --foreground-scripts
     - run: npm list -g node-gyp || echo ok
     - run: npm list node-gyp || echo ok
     - name: PR action (just build)

README.md

@@ -58,7 +58,7 @@ See: https://github.com/edrlab/thorium-reader/wiki/Localization-(l10n)-language-
 
 ### Install dependencies
 
-* `npm install` (or `npm ci`): initialize local `node_modules` packages from dependencies declared in `package.json` (this will also automatically call a long-running compilation stage in `npm run postinstall`)
+* `npm install --foreground-scripts` (or `npm ci --foreground-scripts`): initialize local `node_modules` packages from dependencies declared in `package.json` (this will also automatically call a long-running compilation stage in `npm run postinstall`)
 * in case of failure to NPM "install" because of "Divina player" SHA integrity mismatch, please try running the following command in your shell: `node scripts/package-lock-patch.js && cat package-lock.json | grep -i divina-player-js`
 
 ### Start application in development environment

package.json

@@ -396,6 +396,7 @@
     "markdown-loader": "^8.0.0",
     "mini-css-extract-plugin": "^2.9.2",
     "ncp": "^2.0.0",
+    "npm-scripts-lifecycle": "^1.0.0",
     "prettier": "^3.4.1",
     "react-svg-loader": "^3.0.3",
     "remote-redux-devtools": "^0.5.16",

scripts/scanNodeModules.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# npm install --save-dev --foreground-scripts npm-scripts-lifecycle
+# npm install --foreground-scripts
+
+# --ignore-scripts
+# npm config set ignore-scripts true
+# .npmrc ===> ignore-scripts=true
+
+# https://docs.npmjs.com/cli/v10/using-npm/scripts
+
+# npm query ':attr(scripts, [preinstall]), :attr(scripts, [install]), :attr(scripts, [postinstall]), :attr(scripts, [prepublish]), :attr(scripts, [preprepare]), :attr(scripts, [prepare]), :attr(scripts, [postprepare])' | jq -c '.[] | {name, preinstall: .scripts.preinstall?, install: .scripts.install?, postinstall: .scripts.postinstall?, prepublish: .scripts.prepublish?, preprepare: .scripts.preprepare?, prepare: .scripts.prepare?, postprepare: .scripts.postprepare?}' | tr '\n' '\0' | xargs -0 -n1 -J % echo % | jq -r '. | "######################## [\(.name)]€€--preinstall: \(.preinstall?)€€--install: \(.install?)€€--postinstall: \(.postinstall?)€€--prepublish: \(.prepublish?)€€--preprepare: \(.preprepare?)€€--prepare: \(.prepare?)€€--postprepare: \(.postprepare?)€€"' | sed -e 's/€/\n/g' -e 's/ null//g'
+
+npm query ':attr(scripts, [preinstall]), :attr(scripts, [install]), :attr(scripts, [postinstall])' | jq -c '.[] | {name, preinstall: .scripts.preinstall?, install: .scripts.install?, postinstall: .scripts.postinstall?}' | tr '\n' '\0' | xargs -0 -n1 -J % echo % | jq -r '. | "######################## [\(.name)]€€--preinstall: \(.preinstall?)€€--install: \(.install?)€€--postinstall: \(.postinstall?)€€"' | sed -e 's/€/\n/g' -e 's/ null//g'
+
+# -e 's/^"//' -e 's/"$//'
+#| sed -E -e 's/{//' -e 's/}//' -e 's/[ ]*"name":[[:blank:]]"(.+)",/---\1---/g'
+# for i in `npm query ':attr(scripts, [postinstall])' | jq -c '.[] | {name, postinstall: .scripts.postinstall}' | tr '[:blank:]' '€'`; do echo "${i}" | tr '€' ' '; done;
+#
+# echo '######'
+#  | tr ' ' '\0'
+#  | tr '\n' '\0' | xargs -0 -n1 -I '{}' echo '[{}]'
+# | xargs -n1 -I '{}' echo '{}'
+# echo ${JSON_NPM_POSTINSTALL} | jq '.[].name' | sed -e 's/^"//' -e 's/"$//' | tr '\n' '\0' | xargs -0 -n1 -I '{}' echo '[{}]'
+# echo ${JSON_NPM_POSTINSTALL} | jq '.[].scripts.postinstall'
+# jq 'map(.name)'
+# jq 'map(.scripts.postinstall)'