Skip to content

Disable npm lifecycle scripts and npx for security #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jespino wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Disable npm lifecycle scripts and npx for security #71

jespino wants to merge 1 commit into from

Conversation

@jespino
Copy link

@jespino jespino commented Dec 4, 2025

Disable npm/yarn lifecycle scripts and npx in the devcontainer for security.

Changes

  • Create .devcontainer/Dockerfile with security configurations
  • Update .devcontainer/devcontainer.json to use the new Dockerfile

Security configurations

  • npm config set ignore-scripts true - disables npm lifecycle scripts
  • ignore-scripts true in .yarnrc - disables yarn lifecycle scripts
  • Replace npx binary with error message stub

Fixes PDE-183

@jespino @ona-agent
Disable npm lifecycle scripts and npx for security
f98e706 
- Create Dockerfile with ignore-scripts configuration for npm/yarn
- Disable npx with informative error message
- Update devcontainer.json to use the new Dockerfile

Fixes PDE-183

Co-authored-by: Ona <[email protected]>
@jespino jespino force-pushed the jesus/pde-183-disable-npm-lifecycle-scripts-in-gitpod-sdk-typescript branch from 481ec5c to f98e706 Compare December 4, 2025 16:06
geropl
geropl reviewed Dec 8, 2025
View reviewed changes
CONTRIBUTING.md

```sh
$ npx prism mock path/to/your/openapi.yml
$ yarn add -D @stoplight/prism-cli
Copy link
Member

@geropl geropl Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI This just avoids npx for now, version pinning following in a follow-up PR

geropl
geropl reviewed Dec 8, 2025
View reviewed changes
.devcontainer/Dockerfile
echo 'ignore-scripts true' >> ~/.yarnrc

# Disable npx for security
RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
Copy link
Member

@geropl geropl Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

We could use $(which npx) to make this more reliable across repos

geropl
geropl requested changes Dec 8, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/gitpod-io/gitpod-sdk-typescript/pull/71/files#r2598798618

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geropl geropl geropl requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jespino @geropl