From ccae376f37418aa39b445689ff0ea1e3976195f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Fri, 5 Dec 2025 17:06:16 +0000
Subject: [PATCH 1/2] Disable npm lifecycle scripts and npx for security

- Add npm/yarn ignore-scripts config to Dockerfile
- Disable npx with a stub that shows an error message
- Add --ignore-scripts flag to npm install

Related to PDE-128

Co-authored-by: Ona <no-reply@ona.com>
---
 gitpod/gitpod.Dockerfile | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gitpod/gitpod.Dockerfile b/gitpod/gitpod.Dockerfile
index aad8d56..d47e455 100644
--- a/gitpod/gitpod.Dockerfile
+++ b/gitpod/gitpod.Dockerfile
@@ -1,4 +1,13 @@
 FROM gitpod/workspace-full:latest
 
+# Disable npm lifecycle scripts and npx for security
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc && \
+    rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
+
 # Cache firebase
-RUN npm install --global npm firebase firebase-tools
\ No newline at end of file
+RUN npm install --global --ignore-scripts npm firebase firebase-tools
\ No newline at end of file

From 22202cdee28a4f73b1a39557e76d3347003f0485 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Tue, 9 Dec 2025 12:45:38 +0000
Subject: [PATCH 2/2] Use dynamic npx path detection instead of hardcoded paths

Replace hardcoded /usr/bin/npx and /usr/local/bin/npx with $(which npx)
to handle different npx installation locations.

Co-authored-by: Ona <no-reply@ona.com>
---
 gitpod/gitpod.Dockerfile | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/gitpod/gitpod.Dockerfile b/gitpod/gitpod.Dockerfile
index d47e455..fc6bf84 100644
--- a/gitpod/gitpod.Dockerfile
+++ b/gitpod/gitpod.Dockerfile
@@ -3,11 +3,12 @@ FROM gitpod/workspace-full:latest
 # Disable npm lifecycle scripts and npx for security
 RUN npm config set ignore-scripts true --location=user && \
     echo 'ignore-scripts true' >> ~/.yarnrc && \
-    rm -f /usr/bin/npx /usr/local/bin/npx && \
-    echo '#!/bin/sh' > /usr/local/bin/npx && \
-    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
-    echo 'exit 1' >> /usr/local/bin/npx && \
-    chmod +x /usr/local/bin/npx
+    NPX_PATH=$(which npx) && \
+    rm -f "$NPX_PATH" && \
+    echo '#!/bin/sh' > "$NPX_PATH" && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> "$NPX_PATH" && \
+    echo 'exit 1' >> "$NPX_PATH" && \
+    chmod +x "$NPX_PATH"
 
 # Cache firebase
 RUN npm install --global --ignore-scripts npm firebase firebase-tools
\ No newline at end of file