[dev] disable npm lifecycle scripts and npx

Cornelius Ludmann · Cornelius Ludmann · commit e168a9c0fc62 · 2025-12-03T14:20:32.000Z
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -337,6 +337,18 @@ RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh |
     && nvm alias default v${NODE_VERSION} \
     && npm install -g typescript yarn pnpm node-gyp @anthropic-ai/claude-code"
 
+# Disable npm/yarn lifecycle scripts by default (security hardening)
+# To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx (security hardening - prevents arbitrary package execution)
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
+
 ENV PATH=$PATH:/root/.aws-iam:/root/.terraform:/workspace/bin
 
 ### Telepresence ###
