Pin npm dependencies using yarn --frozen-lockfile (#72)

jespino · ona-agent · easyCZ · web-flow · commit 734eabe520e9 · 2025-12-09T10:55:29.000+01:00
* Disable npm lifecycle scripts and npx for security

- Create Dockerfile with ignore-scripts configuration for npm/yarn
- Disable npx with informative error message
- Update devcontainer.json to use the new Dockerfile

Fixes PDE-183

Co-authored-by: Ona &lt;no-reply@ona.com&gt;

* Pin npm dependencies using yarn --frozen-lockfile

Use yarn install --frozen-lockfile to ensure dependencies are installed
from the lock file.

Fixes PDE-190

Co-authored-by: Ona &lt;no-reply@ona.com&gt;

---------

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
Co-authored-by: Milan Pavlik &lt;pavlik.mil@gmail.com&gt;
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -0,0 +1,12 @@
+FROM mcr.microsoft.com/devcontainers/typescript-node:latest
+
+# Disable npm/yarn lifecycle scripts for security
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx for security
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -2,11 +2,13 @@
 // README at: https://github.com/devcontainers/templates/tree/main/src/debian
 {
   "name": "Development",
-  "image": "mcr.microsoft.com/devcontainers/typescript-node:latest",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {}
   },
-  "postCreateCommand": "yarn install",
+  "postCreateCommand": "yarn install --frozen-lockfile",
   "customizations": {
     "vscode": {
       "extensions": ["esbenp.prettier-vscode"]
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -27,7 +27,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          yarn install --ignore-scripts
+          yarn install --frozen-lockfile --ignore-scripts
 
       - name: Publish to NPM
         run: |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -68,7 +68,8 @@ $ pnpm link -—global @gitpod/sdk
 Most tests require you to [set up a mock server](https://github.com/stoplightio/prism) against the OpenAPI spec to run the tests.
 
 ```sh
-$ npx prism mock path/to/your/openapi.yml
+$ yarn add -D @stoplight/prism-cli
+$ yarn prism mock path/to/your/openapi.yml
 ```
 
 ```sh
