File tree Expand file tree Collapse file tree 1 file changed +12
-0
lines changed
Expand file tree Collapse file tree 1 file changed +12
-0
lines changed Original file line number Diff line number Diff line change @@ -129,6 +129,18 @@ RUN bash -c ". .nvm/nvm.sh \
129129 && nvm install $GITPOD_NODE_VERSION"
130130ENV PATH=/home/gitpod/.nvm/versions/node/v${GITPOD_NODE_VERSION}/bin:$PATH
131131
132+ # Disable npm/yarn lifecycle scripts by default (security hardening)
133+ # To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
134+ RUN npm config set ignore-scripts true --location=user && \
135+ echo 'ignore-scripts true' >> ~/.yarnrc
136+
137+ # Disable npx (security hardening - prevents arbitrary package execution)
138+ RUN sudo rm -f /usr/bin/npx /usr/local/bin/npx && \
139+ echo '#!/bin/sh' | sudo tee /usr/local/bin/npx > /dev/null && \
140+ echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' | sudo tee -a /usr/local/bin/npx > /dev/null && \
141+ echo 'exit 1' | sudo tee -a /usr/local/bin/npx > /dev/null && \
142+ sudo chmod +x /usr/local/bin/npx
143+
132144# Install npm-tools with locked dependencies
133145COPY dev/npm-tools/package.json dev/npm-tools/package-lock.json /opt/npm-tools/
134146RUN cd /opt/npm-tools && \
You can’t perform that action at this time.
0 commit comments