fix: Add empty NPM_TOKEN to vulnerable post-install scripts

LayerZero-Labs · Nov 10, 2023 · a532c09 · a532c09
1 parent 55d044b
commit a532c09
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/.github/workflows/publish-packages.yaml b/.github/workflows/publish-packages.yaml
@@ -31,6 +31,8 @@ jobs:
             # Run the post-install scripts
             - name: Build Dependencies
               run: yarn install --frozen-lockfile --offline
+              env:
+                  NPM_TOKEN: ""
 
             # Cache build artifacts from turbo
             #

diff --git a/.github/workflows/vape-test.yml b/.github/workflows/vape-test.yml
@@ -33,6 +33,8 @@ jobs:
             # Run the post-install scripts
             - name: Build Dependencies
               run: yarn install --frozen-lockfile --offline
+              env:
+                  NPM_TOKEN: ""
 
             # Cache build artifacts from turbo
             #