Skip to content

Block npx and disable npm scripts in devcontainer #21163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Block npx and disable npm scripts in devcontainer #21163

wants to merge 2 commits into from
+22 −4

Conversation

@jespino
Copy link

@jespino jespino commented Dec 1, 2025

Summary

Add security hardening to the devcontainer by:

  • Disabling npx command to prevent arbitrary package execution
  • Setting ignore-scripts=true for npm and yarn to block lifecycle scripts

This prevents potential security risks from running untrusted scripts during package installation.

Changes

  • Modified .devcontainer/Dockerfile to disable npx and set npm/yarn to ignore scripts
  • Modified dev/image/Dockerfile with the same security hardening

Test plan

  • Build the devcontainer image successfully
  • Verify npx command is disabled and returns an error
  • Verify npm and yarn respect the ignore-scripts setting
  • Verify existing functionality still works with these security measures

🤖 Generated with Claude Code

jespino and others added 2 commits December 1, 2025 16:03
@jespino @claude
Fix PDE-140: Block npx and disable npm scripts in devcontainer
e7baff5 
Add security hardening to the devcontainer by:
- Disabling npx command to prevent arbitrary package execution
- Setting ignore-scripts=true for npm and yarn to block lifecycle scripts

This prevents potential security risks from running untrusted scripts
during package installation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jespino @claude
Replace npx with direct package calls in build scripts
75d67f7 
Replace npx tsc and npx prettier with direct calls since npx is being
disabled for security reasons. TypeScript and Prettier are already in
devDependencies, so they can be called directly through yarn/npm.

Changes:
- components/gitpod-db: npx tsc -> tsc
- components/ws-manager-bridge: npx tsc -> tsc
- components/server: npx tsc -> tsc, npx prettier -> prettier

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jespino jespino requested a review from a team as a code owner December 1, 2025 15:16
@geropl
Copy link
Member

geropl commented Dec 1, 2025

@jespino Let's shelve this one a little, we need to take a closer look at the build pipeline to unblock it again.

@geropl
Copy link
Member

geropl commented Dec 1, 2025

I will have somebody look into this from Classic 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

team: team-enterprise

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jespino @geropl