Onboard keeps the dependency surface intentionally small. The Go server is the runtime path and the browser code is plain JavaScript served from the embedded binary. Node is used for JavaScript tests, not for production serving.
- Go dependencies must stay pinned in
go.modand verified bygo.sum. - The Go toolchain version is recorded in
go.mod. - npm must keep
package-lock.jsoncommitted, even when there are no external packages. The lockfile makes future dependency additions explicit in review. package.jsonpins the expected Node and npm versions for this project..nvmrcand.node-versionmirror the Node version for common local version managers.
The project .npmrc sets conservative defaults:
save-exact=trueavoids loose semver ranges for new packages.package-lock=truerequires lockfile updates.ignore-scripts=trueblocks dependency lifecycle scripts by default.audit=truekeeps npm audit enabled.
If a future dependency legitimately needs install scripts, review that package first, document the reason in the pull request or commit, and run the install with an explicit override:
npm install --ignore-scripts=false <package>Do not keep that override in .npmrc.
Before adding a dependency:
- Prefer standard library, existing code, or a tiny local helper when practical.
- Check package name, publisher, repository, and recent publish history.
- Avoid newly published versions during active npm supply-chain incidents.
- Commit the changed manifest and lockfile together.
- Run:
npm run security:npm
npm run test:js
GOCACHE=/tmp/onboard-go-build-cache /usr/local/go/bin/go test ./...For suspected malicious package exposure, isolate the machine before rotating tokens if persistence is possible. Then remove persistence, clear poisoned caches, and rotate GitHub, npm, cloud, SSH, and CI/CD credentials that were available to the affected environment.