Disable npm lifecycle scripts and npx for security

jespino · ona-agent · jespino · commit ccae376f3741 · 2025-12-05T17:06:16.000Z
- Add npm/yarn ignore-scripts config to Dockerfile
- Disable npx with a stub that shows an error message
- Add --ignore-scripts flag to npm install

Related to PDE-128

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/gitpod/gitpod.Dockerfile b/gitpod/gitpod.Dockerfile
@@ -1,4 +1,13 @@
 FROM gitpod/workspace-full:latest
 
+# Disable npm lifecycle scripts and npx for security
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc && \
+    rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
+
 # Cache firebase
-RUN npm install --global npm firebase firebase-tools
+RUN npm install --global --ignore-scripts npm firebase firebase-tools
