Refactor and improve documentation, add examples
This commit is contained in:
JY Tan
37
docs/recipes/npm-install.md
Normal file
37
docs/recipes/npm-install.md
Normal file
@@ -0,0 +1,37 @@
|
||||
# Recipe: `npm install`
|
||||
|
||||
Goal: allow npm to fetch packages, but block unexpected egress.
|
||||
|
||||
## Start restrictive
|
||||
|
||||
```json
|
||||
{
|
||||
"network": {
|
||||
"allowedDomains": ["registry.npmjs.org", "*.npmjs.org"]
|
||||
},
|
||||
"filesystem": {
|
||||
"allowWrite": [".", "node_modules", "/tmp"]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Run:
|
||||
|
||||
```bash
|
||||
fence --settings ./fence.json npm install
|
||||
```
|
||||
|
||||
## Iterate with monitor mode
|
||||
|
||||
If installs fail, run:
|
||||
|
||||
```bash
|
||||
fence -m --settings ./fence.json npm install
|
||||
```
|
||||
|
||||
Then add the minimum extra domains required for your workflow (private registries, GitHub tarballs, etc.).
|
||||
|
||||
Notes:
|
||||
|
||||
- If your dependencies fetch binaries during install, you may need to allow additional domains.
|
||||
- Keep allowlists narrow; prefer specific hostnames over broad wildcards.
|
||||
Reference in New Issue
Block a user