From 42794d1bd876ddc3799f84f6d798deec38b2cabc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Thu, 4 Dec 2025 19:09:08 +0000
Subject: [PATCH] Disable npm lifecycle scripts for security

Add --ignore-scripts flag to yarn and npm install commands in Dockerfile
to prevent execution of potentially malicious scripts during package
installation.

Related to PDE-128

Co-authored-by: Ona <no-reply@ona.com>
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1c2fe98..a018923 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,9 +28,9 @@ WORKDIR /gitpod
 
 COPY . /gitpod
 
-RUN yarn --pure-lockfile --non-interactive \
+RUN yarn --pure-lockfile --non-interactive --ignore-scripts \
   && rm -rf /usr/local/share/.cache/yarn
 
-RUN npm install -g aws-cdk ts-node
+RUN npm install -g --ignore-scripts aws-cdk ts-node
 
 ENTRYPOINT ["/gitpod/setup.sh"]