From f19e709c4831f102d73daa45cec6c9ab2f4a6496 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Espino?= Date: Thu, 4 Dec 2025 19:09:13 +0000 Subject: [PATCH 1/2] Disable npm lifecycle scripts and npx for security - Add npm/yarn ignore-scripts config to Dockerfile - Disable npx with a stub that shows an error message - Replace npx playwright with yarn playwright - Add --ignore-scripts flag to yarn install in .gitpod.yml Related to PDE-128 Co-authored-by: Ona --- .gitpod.yml | 2 +- Dockerfile | 15 ++++++++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.gitpod.yml b/.gitpod.yml index 7efafb7..cc367e7 100644 --- a/.gitpod.yml +++ b/.gitpod.yml @@ -4,7 +4,7 @@ tasks: init: | mkdir node_modules cp -r /home/gitpod/.cache/workspace/* ./node_modules - yarn + yarn --ignore-scripts yarn compile command: | touch __init_task_done__ diff --git a/Dockerfile b/Dockerfile index ea194ed..45b4606 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,23 @@ FROM gitpod/workspace-full +# Disable npm lifecycle scripts and npx for security +RUN npm config set ignore-scripts true --location=user && \ + echo 'ignore-scripts true' >> ~/.yarnrc && \ + rm -f /usr/bin/npx /usr/local/bin/npx && \ + echo '#!/bin/sh' > /usr/local/bin/npx && \ + echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \ + echo 'exit 1' >> /usr/local/bin/npx && \ + chmod +x /usr/local/bin/npx + # Create a new image and publish it to dockerhub, then use it directly in .gitpod.yml # as prebuils for integration test makes no sense because a new environment is created # every time RUN cd /tmp \ && git clone https://github.com/gitpod-io/python-test-workspace --depth=1 --single-branch --branch=master \ && cd python-test-workspace \ - && yarn \ + && yarn --ignore-scripts \ && mkdir -p /home/gitpod/.cache/workspace \ && cp -r ./node_modules /home/gitpod/.cache/workspace \ && python3 -m pip install --upgrade ipykernel \ - && npm_config_yes=true npx playwright install-deps \ - && npm_config_yes=true npx playwright install \ No newline at end of file + && yarn playwright install-deps \ + && yarn playwright install \ No newline at end of file From 76420cb1721bd1ce1cd9c4fa0db53e55464e0e3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Espino?= Date: Tue, 9 Dec 2025 12:45:32 +0000 Subject: [PATCH 2/2] Use dynamic npx path detection instead of hardcoded paths Replace hardcoded /usr/bin/npx and /usr/local/bin/npx with $(which npx) to handle different npx installation locations. Co-authored-by: Ona --- Dockerfile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 45b4606..b3f40dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,11 +3,12 @@ FROM gitpod/workspace-full # Disable npm lifecycle scripts and npx for security RUN npm config set ignore-scripts true --location=user && \ echo 'ignore-scripts true' >> ~/.yarnrc && \ - rm -f /usr/bin/npx /usr/local/bin/npx && \ - echo '#!/bin/sh' > /usr/local/bin/npx && \ - echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \ - echo 'exit 1' >> /usr/local/bin/npx && \ - chmod +x /usr/local/bin/npx + NPX_PATH=$(which npx) && \ + rm -f "$NPX_PATH" && \ + echo '#!/bin/sh' > "$NPX_PATH" && \ + echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> "$NPX_PATH" && \ + echo 'exit 1' >> "$NPX_PATH" && \ + chmod +x "$NPX_PATH" # Create a new image and publish it to dockerhub, then use it directly in .gitpod.yml # as prebuils for integration test makes no sense because a new environment is created