38 lines
738 B
Markdown
38 lines
738 B
Markdown
# Recipe: `npm install`
|
|
|
|
Goal: allow npm to fetch packages, but block unexpected egress.
|
|
|
|
## Start restrictive
|
|
|
|
```json
|
|
{
|
|
"network": {
|
|
"allowedDomains": ["registry.npmjs.org", "*.npmjs.org"]
|
|
},
|
|
"filesystem": {
|
|
"allowWrite": [".", "node_modules", "/tmp"]
|
|
}
|
|
}
|
|
```
|
|
|
|
Run:
|
|
|
|
```bash
|
|
fence --settings ./fence.json npm install
|
|
```
|
|
|
|
## Iterate with monitor mode
|
|
|
|
If installs fail, run:
|
|
|
|
```bash
|
|
fence -m --settings ./fence.json npm install
|
|
```
|
|
|
|
Then add the minimum extra domains required for your workflow (private registries, GitHub tarballs, etc.).
|
|
|
|
Notes:
|
|
|
|
- If your dependencies fetch binaries during install, you may need to allow additional domains.
|
|
- Keep allowlists narrow; prefer specific hostnames over broad wildcards.
|