Running npm ci is dangerous. See How to protect yourself from npm.
We do it in multiple pages:
- https://www.mediawiki.org/wiki/Selenium/Getting_Started/Run_tests_targeting_MediaWiki-Docker
- https://www.mediawiki.org/wiki/Selenium/Getting_Started/Run_tests_targeting_Beta_cluster
- https://www.mediawiki.org/wiki/Selenium/How-to/Run_tests_targeting_MediaWiki-Vagrant
The advantage of installing dependencies in a container or virtual machine is security, but then debugging with the browser open becomes impossible.
Pages about debugging (one of them is just a draft for now):
- https://www.mediawiki.org/wiki/Selenium/How-to/Debug_with_Visual_Studio_Code
- https://www.mediawiki.org/wiki/Selenium/How-to/Debug_with_browser.debug()
For now I've added a warning to all pages that npm ci is not safe.