Hardening against npm exploits

Author: AuroraLS3

.github/workflows/ci.yml

@@ -54,7 +54,10 @@ jobs:
           java-version: '25'
       - name: 💼 Setup Gradle
         uses: gradle/actions/setup-gradle@v4
-      - name: 🛠 Build jars 
+      - name: 🛠 Build jars
+        env:
+          npm_config_ignore_scripts: true
+          YARN_ENABLE_SCRIPTS: false
         run: |
           cd Plan
           ./gradlew build -x test
@@ -104,10 +107,15 @@ jobs:
           MYSQL_PASS: password
           MYSQL_PORT: ${{ job.services.mariadb.ports[3306] }}
           CHROMEDRIVER: /usr/local/bin/chromedriver
+          npm_config_ignore_scripts: true
+          YARN_ENABLE_SCRIPTS: false
         run: |
           cd Plan
           ./gradlew build
       - name: 🖨 Build Javadocs
+        env:
+          npm_config_ignore_scripts: true
+          YARN_ENABLE_SCRIPTS: false
         run: |
           cd Plan
           echo "Building javadocs with gradle"
@@ -133,6 +141,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        env:
+          npm_config_ignore_scripts: true
+          YARN_ENABLE_SCRIPTS: false
         run: |
           cd Plan
           ./gradlew sonar -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=player-analytics-plan

.github/workflows/on-release.yml

@@ -86,6 +86,8 @@ jobs:
           RELEASE_CHANGELOG: ${{ github.event.release.body }}
           RELEASE_PRERELEASE: ${{ github.event.release.prerelease }}
           RELEASE_JAR_PATH: ${{ env.RELEASE_JAR_PATH }}
+          npm_config_ignore_scripts: true
+          YARN_ENABLE_SCRIPTS: false
         run: |
           cd Plan
           ./gradlew :plugin:publishToOre
@@ -154,6 +156,8 @@ jobs:
           RELEASE_CHANGELOG: ${{ github.event.release.body }}
           RELEASE_PRERELEASE: ${{ github.event.release.prerelease }}
           RELEASE_DOWNLOAD_URL: ${{ env.RELEASE_DOWNLOAD_URL }}
+          npm_config_ignore_scripts: true
+          YARN_ENABLE_SCRIPTS: false
         run: |
           cd Plan
           ./gradlew :plugin:publishPluginPublicationToHangar

Plan/common/build.gradle

@@ -170,6 +170,7 @@ tasks.withType(YarnInstallTask).configureEach {
     // Skip Yarn build on Jitpack since Jitpack doesn't offer gclib version compatible with Node 20
     // Jitpack build is used mainly for java dependencies.
     onlyIf("not running in Jitpack") { !project.hasProperty("isJitpack") }
+    args = ["--ignore-scripts"]
 }
 
 tasks.register("copyYarnBuildResults") {

Plan/react/dashboard/.yarnrc

@@ -0,0 +1 @@
+ignore-scripts true

Plan/react/dashboard/package.json

@@ -6,41 +6,41 @@
   "type": "module",
   "proxy": "http://localhost:8800",
   "dependencies": {
-    "@fortawesome/fontawesome-free": "^7.2.0",
-    "@fortawesome/fontawesome-svg-core": "^7.2.0",
-    "@fortawesome/free-brands-svg-icons": "^7.2.0",
-    "@fortawesome/free-regular-svg-icons": "^7.2.0",
-    "@fortawesome/free-solid-svg-icons": "^7.2.0",
-    "@fortawesome/react-fontawesome": "^3.2.0",
-    "@fullcalendar/bootstrap": "^6.1.20",
-    "@fullcalendar/core": "^6.1.20",
-    "@fullcalendar/daygrid": "^6.1.20",
-    "@fullcalendar/interaction": "^6.1.20",
-    "@fullcalendar/react": "^6.1.20",
-    "@highcharts/map-collection": "^2.3.2",
-    "@uiw/react-color-chrome": "^2.9.6",
-    "@uiw/react-color-wheel": "^2.9.6",
-    "axios": "^1.13.6",
-    "bootstrap": "^5.3.8",
-    "export-to-csv": "^1.3.0",
-    "highcharts": "^12.5.0",
-    "i18next": "^25.8.20",
-    "i18next-chained-backend": "^5.0.2",
-    "i18next-http-backend": "^3.0.2",
-    "i18next-localstorage-backend": "^4.3.1",
-    "masonry-layout": "^4.2.2",
-    "moment": "^2.30.1",
-    "react": "^19.1.1",
-    "react-bootstrap": "^2.10.10",
-    "react-bootstrap-range-slider": "^3.0.8",
-    "react-dom": "^19.1.1",
-    "react-i18next": "^16.5.8",
-    "react-mcjsonchat": "^1.0.0",
-    "react-router": "^7.13.1",
-    "react-select": "^5.10.2",
-    "react-transition-group": "^4.4.5",
-    "sass": "^1.98.0",
-    "swagger-ui-dist": "^5.32.1"
+    "@fortawesome/fontawesome-free": "7.2.0",
+    "@fortawesome/fontawesome-svg-core": "7.2.0",
+    "@fortawesome/free-brands-svg-icons": "7.2.0",
+    "@fortawesome/free-regular-svg-icons": "7.2.0",
+    "@fortawesome/free-solid-svg-icons": "7.2.0",
+    "@fortawesome/react-fontawesome": "3.2.0",
+    "@fullcalendar/bootstrap": "6.1.20",
+    "@fullcalendar/core": "6.1.20",
+    "@fullcalendar/daygrid": "6.1.20",
+    "@fullcalendar/interaction": "6.1.20",
+    "@fullcalendar/react": "6.1.20",
+    "@highcharts/map-collection": "2.3.2",
+    "@uiw/react-color-chrome": "2.9.6",
+    "@uiw/react-color-wheel": "2.9.6",
+    "axios": "1.13.6",
+    "bootstrap": "5.3.8",
+    "export-to-csv": "1.4.0",
+    "highcharts": "12.5.0",
+    "i18next": "25.8.20",
+    "i18next-chained-backend": "5.0.2",
+    "i18next-http-backend": "3.0.2",
+    "i18next-localstorage-backend": "4.3.1",
+    "masonry-layout": "4.2.2",
+    "moment": "2.30.1",
+    "react": "19.1.1",
+    "react-bootstrap": "2.10.10",
+    "react-bootstrap-range-slider": "3.0.8",
+    "react-dom": "19.1.1",
+    "react-i18next": "16.5.8",
+    "react-mcjsonchat": "1.0.0",
+    "react-router": "7.13.1",
+    "react-select": "5.10.2",
+    "react-transition-group": "4.4.5",
+    "sass": "1.98.0",
+    "swagger-ui-dist": "5.32.1"
   },
   "scripts": {
     "start": "vite",
@@ -65,12 +65,12 @@
     ]
   },
   "devDependencies": {
-    "@types/react": "^19.2.14",
-    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.2.0",
-    "baseline-browser-mapping": "^2.10.9",
-    "typescript": "^5.9.3",
-    "vite": "^7.3.1"
+    "@types/react": "19.2.14",
+    "@types/react-dom": "19.2.3",
+    "@vitejs/plugin-react": "5.2.0",
+    "baseline-browser-mapping": "2.10.9",
+    "typescript": "5.9.3",
+    "vite": "7.3.1"
   },
   "scarfSettings": {
     "enabled": false