Feat: implement supply chain attack mitigation

.npmignore

@@ -0,0 +1,58 @@
+# Security and sensitive files
+.env*
+*.key
+*.pem
+*.p12
+*.pfx
+secrets/
+private/
+config/secrets/
+
+# Development files
+node_modules/
+.npm/
+.npmrc
+.nvmrc
+*.log
+*.tmp
+.DS_Store
+Thumbs.db
+
+# Build artifacts
+dist/
+build/
+target/
+*.tgz
+*.tar.gz
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Test files
+test/
+tests/
+__tests__/
+*.test.js
+*.test.ts
+*.spec.js
+*.spec.ts
+
+# Documentation
+docs/
+*.md
+!README.md
+
+# CI/CD files
+.github/
+.gitlab-ci.yml
+.travis.yml
+.circleci/
+azure-pipelines.yml
+
+# Scripts
+scripts/
+!scripts/security-check.sh

.npmrc

@@ -0,0 +1,21 @@
+audit-level=moderate
+fund=false
+update-notifier=false
+ignore-scripts=false
+strict-ssl=true
+
+registry=https://registry.npmjs.org/
+audit=true
+package-lock=true
+package-lock-only=false
+save-exact=false
+
+# use npm ci for production builds (faster and more secure)
+# this will be enforced in CI/CD scripts
+
+# prevent installation of optional dependencies that might contain vulnerabilities
+optional=false
+audit=true
+update-notifier=false
+
+save-exact=false

.nvmrc

@@ -0,0 +1 @@
+20.18.0

package.json

@@ -45,7 +45,15 @@
     "types:lint:fix": "lerna run lint:fix --scope @nymproject/types --scope @nymproject/nym-wallet-app",
     "audit:fix": "npm_config_yes=true npx yarn-audit-fix -- --dry-run",
     "dev:on": "node sdk/typescript/scripts/dev-mode-add.mjs",
-    "dev:off": "node sdk/typescript/scripts/dev-mode-remove.mjs"
+    "dev:off": "node sdk/typescript/scripts/dev-mode-remove.mjs",
+    "security:audit": "yarn audit --level moderate",
+    "security:audit:fix": "yarn audit --fix",
+    "security:audit:ci": "yarn install --frozen-lockfile && yarn audit --level moderate",
+    "security:check": "yarn audit --level high && yarn list --depth=0",
+    "security:outdated": "yarn outdated",
+    "security:verify": "yarn audit --level moderate && yarn list --depth=0 && yarn outdated",
+    "security:full": "./scripts/security-check.sh",
+    "security:ci": "yarn install --frozen-lockfile && ./scripts/security-check.sh"
   },
   "devDependencies": {
     "@npmcli/node-gyp": "^3.0.0",
@@ -62,6 +70,13 @@
     "@cosmjs/proto-signing": "^0.32.4",
     "@cosmjs/stargate": "^0.32.4",
     "@cosmjs/cosmwasm-stargate": "^0.32.4",
-    "cosmjs-types": "^0.9.0"
+    "cosmjs-types": "^0.9.0",
+    "chalk": "5.3.0",
+    "strip-ansi": "7.1.0",
+    "color-convert": "2.0.1",
+    "color-name": "1.1.4",
+    "is-core-module": "2.13.1",
+    "error-ex": "1.3.2",
+    "has-ansi": "5.0.1"
   }
 }

scripts/security-check.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -e
+
+echo "starting security checks..."
+
+if [ ! -f "package.json" ]; then
+    echo "error: package.json not found, please run this script from the project root."
+    exit 1 
+fi
+
+echo "checking Node.js version..."
+if [ -f ".nvmrc" ]; then
+    REQUIRED_NODE_VERSION=$(cat .nvmrc)
+    CURRENT_NODE_VERSION=$(node --version | sed 's/v//')
+    echo "required Node.js version: $REQUIRED_NODE_VERSION"
+    echo "current Node.js version: $CURRENT_NODE_VERSION"
+
+    if [ "$CURRENT_NODE_VERSION" != "$REQUIRED_NODE_VERSION" ]; then
+        echo "warning: Node.js version mismatch, consider using nvm to switch to the required version."
+    fi
+fi
+
+echo "checking .npmrc configuration..."
+if [ ! -f ".npmrc" ]; then
+    echo "Error: .npmrc file not found, security configurations are missing."
+    exit 1
+fi
+
+echo "checking yarn.lock..."
+if [ ! -f "yarn.lock" ]; then
+    echo "error: yarn.lock not found, run 'yarn install' to generate it."
+    exit 1
+fi
+
+echo "running yarn audit..."
+yarn audit --level moderate
+
+echo "checking for outdated packages..."
+yarn outdated || true
+
+echo "verifying package integrity..."
+yarn list --depth=0
+
+echo "checking for known vulnerable packages..."
+yarn audit --level high
+
+echo "checking package sources..."
+yarn list --depth=0 --json | jq -r '.data.trees[] | select(.children) | .children[] | select(.name | test("^https?://(?!registry\\.npmjs\\.org)")) | .name' || true
+
+echo "checks completed successfully!"
+echo ""
+echo "always use 'yarn install --frozen-lockfile' in production environments"
+