Skip to content

Replace npx with pinned npm-tools and add security hardening #21166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ona-Security-Admin merged 13 commits into from
Dec 5, 2025
Merged

Replace npx with pinned npm-tools and add security hardening #21166

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e168a9c
[dev] disable npm lifecycle scripts and npx
Dec 3, 2025
2897ffa
Add npm-tools
Dec 3, 2025
22f22b7
update npm-tools
Dec 3, 2025
a1f2efa
dev/image/Dockerfile
Dec 3, 2025
8fe30fd
update
Dec 4, 2025
abac094
Bump leeay version to 0.10.6
Dec 4, 2025
f15e31b
Fix npx removal to also delete the target script
corneliusludmann Dec 5, 2025
11c9a0a
Remove gce-github-runner usage from all workflows
geropl Dec 4, 2025
7f2dcb5
[dev] use ubuntu-latest-16-cores for builds
geropl Dec 5, 2025
1fcaecb
Fix container permissions for GitHub-hosted runners
geropl Dec 5, 2025
d543b64
Fix dev/image build by adding leeway dependency for npm-tools
geropl Dec 5, 2025
fdb7c7b
Fix npm-tools installation permissions in dev/image
geropl Dec 5, 2025
fae8573
[dev] Split builds into branch and main
geropl Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .devcontainer/Dockerfile
View file
Open in desktop
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built the image like:

vscode ➜ /workspaces/workspaces/gitpod (clu/npm-security-hardening) $ docker build -f .devcontainer/Dockerfile .

Original file line number Diff line number Diff line change
Expand Up @@ -337,6 +337,18 @@ RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh |
&& nvm alias default v${NODE_VERSION} \
&& npm install -g typescript yarn pnpm node-gyp @anthropic-ai/claude-code"

# Disable npm/yarn lifecycle scripts by default (security hardening)
# To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
RUN npm config set ignore-scripts true --location=user && \
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this is set for global:

npm config get ignore-scripts --location=global
true

But get an error at the user (default) level:

pm config get ignore-scripts --location=user
npm error code ENOWORKSPACES
npm error This command does not support workspaces.
npm error A complete log of this run can be found in: /root/.npm/_logs/2025-12-03T22_23_34_233Z-debug-0.log

What are we trying to accomplish here? Global makes sense to me, if we're talking a Dockerfile.

Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latter part of the command seems okay:

cat $HOME/.yarnrc 
ignore-scripts true

But, I'm unsure of the former.

echo 'ignore-scripts true' >> ~/.yarnrc

# Disable npx (security hardening - prevents arbitrary package execution)
RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npx is also located as part of the nvm installation, we should remove it from here too:

Evidence:

vscode ➜ /workspaces/workspaces/gitpod (clu/npm-security-hardening) $ docker run -it abe5f93ace01
root / $ nvm which node
/root/.nvm/versions/node/v22.17.0/bin/node
root / $ which npx
/root/.nvm/versions/node/v22.17.0/bin/npx

echo '#!/bin/sh' > /usr/local/bin/npx && \
echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works:

root / $ /usr/local/bin/npx
npx is disabled for security reasons. Use explicit package installation instead.

echo 'exit 1' >> /usr/local/bin/npx && \
chmod +x /usr/local/bin/npx

ENV PATH=$PATH:/root/.aws-iam:/root/.terraform:/workspace/bin

### Telepresence ###
Expand Down
Loading