update

Cornelius Ludmann · ona-agent · Cornelius Ludmann · commit 8fe30fd19fe2 · 2025-12-04T09:58:33.000Z
Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -338,11 +338,12 @@ RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh |
 
 # Disable npm/yarn lifecycle scripts by default (security hardening)
 # To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
-RUN npm config set ignore-scripts true --location=user && \
+RUN npm config set ignore-scripts true --location=global && \
+    npm config set ignore-scripts true --location=user && \
     echo 'ignore-scripts true' >> ~/.yarnrc
 
 # Disable npx (security hardening - prevents arbitrary package execution)
-RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+RUN rm -f /usr/bin/npx /usr/local/bin/npx /root/.nvm/versions/node/v${NODE_VERSION}/bin/npx && \
     echo '#!/bin/sh' > /usr/local/bin/npx && \
     echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
     echo 'exit 1' >> /usr/local/bin/npx && \
diff --git a/.github/workflows/code-build.yaml b/.github/workflows/code-build.yaml
@@ -15,9 +15,10 @@ jobs:
         run: |
           curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
           chmod +x /usr/local/bin/oci-tool
-          cd ./components/ide/gha-update-image/
+          cd ./dev/npm-tools && npm ci
+          echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+          cd $GITHUB_WORKSPACE/components/ide/gha-update-image/
           yarn
-          npm i -g bun
       - name: Check for updates
         id: updates
         run: |
diff --git a/.github/workflows/code-updates.yml b/.github/workflows/code-updates.yml
@@ -12,9 +12,10 @@ jobs:
         run: |
           curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
           chmod +x /usr/local/bin/oci-tool
-          cd ./components/ide/gha-update-image/
+          cd ./dev/npm-tools && npm ci
+          echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+          cd $GITHUB_WORKSPACE/components/ide/gha-update-image/
           yarn
-          npm i -g bun
       - name: Check for updates
         id: updates
         run: |
diff --git a/.github/workflows/jetbrains-auto-update-template.yml b/.github/workflows/jetbrains-auto-update-template.yml
@@ -35,9 +35,10 @@ jobs:
           leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
       - name: Install dependencies
         run: |
-          cd ./components/ide/gha-update-image/
+          cd ./dev/npm-tools && npm ci
+          echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+          cd $GITHUB_WORKSPACE/components/ide/gha-update-image/
           yarn
-          npm i -g bun
       - name: Find Nightly Target
         id: find-target
         run: |
diff --git a/.github/workflows/jetbrains-update-plugin-platform-template.yml b/.github/workflows/jetbrains-update-plugin-platform-template.yml
@@ -33,9 +33,10 @@ jobs:
               run: |
                 curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
                 chmod +x /usr/local/bin/oci-tool
-                cd ./components/ide/gha-update-image/
+                cd ./dev/npm-tools && npm ci
+                echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+                cd $GITHUB_WORKSPACE/components/ide/gha-update-image/
                 yarn
-                npm i -g bun
             - name: Check for Update
               id: change
               run: |
diff --git a/.github/workflows/jetbrains-updates.yml b/.github/workflows/jetbrains-updates.yml
@@ -15,9 +15,10 @@ jobs:
               run: |
                 curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
                 chmod +x /usr/local/bin/oci-tool
-                cd ./components/ide/gha-update-image
+                cd ./dev/npm-tools && npm ci
+                echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+                cd $GITHUB_WORKSPACE/components/ide/gha-update-image
                 yarn
-                npm i -g bun
             - name: Check for updates
               run: |
                 cd ./components/ide/gha-update-image
diff --git a/dev/image/Dockerfile b/dev/image/Dockerfile
@@ -131,11 +131,12 @@ ENV PATH=/home/gitpod/.nvm/versions/node/v${GITPOD_NODE_VERSION}/bin:$PATH
 
 # Disable npm/yarn lifecycle scripts by default (security hardening)
 # To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
-RUN npm config set ignore-scripts true --location=user && \
+RUN npm config set ignore-scripts true --location=global && \
+    npm config set ignore-scripts true --location=user && \
     echo 'ignore-scripts true' >> ~/.yarnrc
 
 # Disable npx (security hardening - prevents arbitrary package execution)
-RUN sudo rm -f /usr/bin/npx /usr/local/bin/npx && \
+RUN sudo rm -f /usr/bin/npx /usr/local/bin/npx /home/gitpod/.nvm/versions/node/v${GITPOD_NODE_VERSION}/bin/npx && \
     echo '#!/bin/sh' | sudo tee /usr/local/bin/npx > /dev/null && \
     echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' | sudo tee -a /usr/local/bin/npx > /dev/null && \
     echo 'exit 1' | sudo tee -a /usr/local/bin/npx > /dev/null && \
diff --git a/dev/npm-tools/package-lock.json b/dev/npm-tools/package-lock.json
diff --git a/dev/npm-tools/package.json b/dev/npm-tools/package.json
diff --git a/test/run.sh b/test/run.sh
