Skip to content

Disable npm lifecycle scripts and npx for security #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jespino wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Disable npm lifecycle scripts and npx for security #71

jespino wants to merge 3 commits into from

Conversation

@jespino
Copy link
Contributor

@jespino jespino commented Dec 4, 2025

Disable npm/yarn lifecycle scripts and npx in the devcontainer for security.

Changes

  • Create .devcontainer/Dockerfile with security configurations
  • Update .devcontainer/devcontainer.json to use the new Dockerfile

Security configurations

  • npm config set ignore-scripts true - disables npm lifecycle scripts
  • ignore-scripts true in .yarnrc - disables yarn lifecycle scripts
  • Replace npx binary with error message stub

Fixes PDE-183

@jespino @ona-agent
Disable npm lifecycle scripts and npx for security
f98e706 
- Create Dockerfile with ignore-scripts configuration for npm/yarn
- Disable npx with informative error message
- Update devcontainer.json to use the new Dockerfile

Fixes PDE-183

Co-authored-by: Ona <no-reply@ona.com>
@jespino jespino force-pushed the jesus/pde-183-disable-npm-lifecycle-scripts-in-gitpod-sdk-typescript branch from 481ec5c to f98e706 Compare December 4, 2025 16:06
geropl
geropl reviewed Dec 8, 2025
View reviewed changes
geropl
geropl reviewed Dec 8, 2025
View reviewed changes
.devcontainer/Dockerfile Outdated
echo 'ignore-scripts true' >> ~/.yarnrc

# Disable npx for security
RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
Copy link
Member

@geropl geropl Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

We could use $(which npx) to make this more reliable across repos

Copy link
Contributor Author

@jespino jespino Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point

Copy link
Contributor Author

@jespino jespino Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm updating this here, and in other PRs

geropl
geropl requested changes Dec 8, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/gitpod-io/gitpod-sdk-typescript/pull/71/files#r2598798618

jespino and others added 2 commits December 9, 2025 13:06
@jespino @ona-agent
Use dynamic npx path detection instead of hardcoded paths
79937bf 
Replace hardcoded /usr/bin/npx and /usr/local/bin/npx with $(which npx)
to handle different npx installation locations.

Co-authored-by: Ona <no-reply@ona.com>
@jespino
Merge branch 'main' into jesus/pde-183-disable-npm-lifecycle-scripts-…
e3d2793 
…in-gitpod-sdk-typescript
geropl
geropl reviewed Dec 10, 2025
View reviewed changes
.devcontainer/Dockerfile
echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
echo 'exit 1' >> /usr/local/bin/npx && \
chmod +x /usr/local/bin/npx
RUN NPX_PATH=$(which npx) && \
Copy link
Member

@geropl geropl Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested, and it seems it does not work - it seems features are installed after the docker image which also makes sense if you think about it.
Which means we either:

  • have to resort to "postCreateCommand"
  • or develop our own feature :(

#10 [dev_container_auto_added_stage_label 2/3] RUN npm config set ignore-scripts true --location=user &&     echo 'ignore-scripts true' >> ~/.yarnrc
#10 CACHED

#11 [dev_container_auto_added_stage_label 3/3] RUN bash -c 'NPX_PATH=$(which npx) &&     rm -f "$NPX_PATH" &&     echo "#!/bin/sh" > "$NPX_PATH" &&     echo "echo \"npx is disabled for security reasons. Use explicit package installation instead.\" >&2" >> "$NPX_PATH" &&     echo "exit 1" >> "$NPX_PATH" &&     chmod +x "$NPX_PATH"'
#11 DONE 0.2s
#12 [dev_containers_feature_content_normalize 1/2] COPY --from=dev_containers_feature_content_source devcontainer-features.builtin.env /tmp/build-features/
#12 DONE 0.0s

#13 [dev_containers_target_stage 1/4] RUN mkdir -p /tmp/dev-container-features
#13 DONE 0.2s

#14 [dev_containers_feature_content_normalize 2/2] RUN chmod -R 0755 /tmp/build-features/
#14 DONE 0.2s

#15 [dev_containers_target_stage 2/4] COPY --from=dev_containers_feature_content_normalize /tmp/build-features/ /tmp/dev-container-features
#15 DONE 0.0s
#16 [dev_containers_target_stage 3/4] RUN echo "_CONTAINER_USER_HOME=$( (command -v getent >/dev/null 2>&1 && getent passwd 'root' || grep -E '^root|^[^:]*:[^:]*:root:' /etc/passwd || true) | cut -d: -f6)" >> /tmp/dev-container-features/devcontainer-features.builtin.env && echo "_REMOTE_USER_HOME=$( (command -v getent >/dev/null 2>&1 && getent passwd 'node' || grep -E '^node|^[^:]*:[^:]*:node:' /etc/passwd || true) | cut -d: -f6)" >> /tmp/dev-container-features/devcontainer-features.builtin.env
#16 DONE 0.2s
#17 [dev_containers_target_stage 4/4] RUN --mount=type=bind,from=dev_containers_feature_content_source,source=node_0,target=/tmp/build-features-src/node_0     cp -ar /tmp/build-features-src/node_0 /tmp/dev-container-features  && chmod -R 0755 /tmp/dev-container-features/node_0  && cd /tmp/dev-container-features/node_0  && chmod +x ./devcontainer-features-install.sh  && ./devcontainer-features-install.sh  && rm -rf /tmp/dev-container-features/node_0
#17 0.143 ===========================================================================
#17 0.143 Feature       : Node.js (via nvm), yarn and pnpm
#17 0.143 Description   : Installs Node.js, nvm, yarn, pnpm, and needed dependencies.
#17 0.143 Id            : ghcr.io/devcontainers/features/node
#17 0.143 Version       : 1.6.3
#17 0.143 Documentation : https://github.com/devcontainers/features/tree/main/src/node
#17 0.143 Options       :
#17 0.143     VERSION="lts"
#17 0.143     NODEGYPDEPENDENCIES="true"
#17 0.143     NVMINSTALLPATH="/usr/local/share/nvm"
#17 0.143     PNPMVERSION="latest"
#17 0.143     NVMVERSION="latest"
#17 0.143     INSTALLYARNUSINGAPT="true"
#17 0.143 ===========================================================================
#17 0.376 NVM_VERSION=0.40.3
#17 0.566 NVM already installed.

#17 0.786 Downloading and installing node v24.11.1...
#17 0.905 Downloading https://nodejs.org/dist/v24.11.1/node-v24.11.1-linux-x64.tar.xz...
#17 1.139 Computing checksum with sha256sum
#17 1.171 Checksums matched!
#17 2.948 Now using node v24.11.1 (npm v11.6.2)
#17 3.070 Creating default alias: default -> lts/* (-> v24.11.1 *)
#17 3.170 default -> lts/* (-> v24.11.1 *)
#17 3.176 Yarn is already installed.
#17 3.467 npm warn using --force Recommended protections disabled.
#17 4.640
#17 4.640 added 1 package in 1s
#17 4.641
#17 4.641 1 package is looking for funding
#17 4.641   run `npm fund` for details
#17 4.687 Verifying node-gyp OS requirements...
#17 4.819 nvm cache cleared.
#17 4.890 Done!
``

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geropl geropl geropl requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jespino @geropl