-
Notifications
You must be signed in to change notification settings - Fork 427
[WIP] Update strict mode network validation documentation #15431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -128,26 +128,42 @@ network: | |
| allowed: | ||
| - python # Ecosystem identifier | ||
| - node # Ecosystem identifier | ||
| - "api.example.com" # Custom domains still allowed | ||
| ```` | ||
|
|
||
| When strict mode rejects a domain, the error message suggests the correct ecosystem: | ||
| ### Error Messages | ||
|
|
||
| When strict mode rejects a domain that belongs to a known ecosystem, the error message suggests the ecosystem identifier: | ||
|
|
||
| ````text | ||
| error: strict mode: network domains must be from known ecosystems (e.g., 'defaults', | ||
| 'python', 'node') for all engines in strict mode. Custom domains are not allowed for | ||
| security. Did you mean: 'pypi.org' belongs to ecosystem 'python'? | ||
| ```` | ||
|
|
||
| Disable strict mode for development or testing: | ||
| When strict mode rejects a custom domain: | ||
|
|
||
| ````text | ||
| error: strict mode: network domains must be from known ecosystems (e.g., 'defaults', | ||
| 'python', 'node') for all engines in strict mode. Custom domains are not allowed for | ||
| security. Set 'strict: false' to use custom domains. | ||
| ```` | ||
|
|
||
| ### Using Custom Domains | ||
|
|
||
| To use custom domains (domains not in known ecosystems), disable strict mode: | ||
|
|
||
| ````yaml | ||
| strict: false | ||
| --- | ||
| strict: false # Required for custom domains | ||
| network: | ||
| allowed: | ||
| - "pypi.org" # Now allowed | ||
| - python # Ecosystem identifier | ||
| - "api.example.com" # Custom domain (only allowed with strict: false) | ||
| --- | ||
|
Comment on lines
155
to
+162
|
||
| ```` | ||
|
|
||
| **Security Note**: Custom domains bypass ecosystem validation. Only disable strict mode when necessary and ensure you trust the custom domains you allow. | ||
|
|
||
| ## Security Best Practices | ||
|
|
||
| 1. **Start minimal** - Only add ecosystems you actually use | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The strict-mode error string in code always appends "Set 'strict: false' to use custom domains. See: https://github.github.com/gh-aw/reference/network/" (even when a "Did you mean" ecosystem suggestion is present). This example currently stops after the suggestion, so it doesn’t match actual output.
This issue also appears on line 145 of the same file.