Skip to content

Replace npx with pinned npm-tools and add security hardening #21166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ona-Security-Admin merged 13 commits into from
Dec 5, 2025
Merged

Replace npx with pinned npm-tools and add security hardening #21166

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e168a9c
[dev] disable npm lifecycle scripts and npx
Dec 3, 2025
2897ffa
Add npm-tools
Dec 3, 2025
22f22b7
update npm-tools
Dec 3, 2025
a1f2efa
dev/image/Dockerfile
Dec 3, 2025
8fe30fd
update
Dec 4, 2025
abac094
Bump leeay version to 0.10.6
Dec 4, 2025
f15e31b
Fix npx removal to also delete the target script
corneliusludmann Dec 5, 2025
11c9a0a
Remove gce-github-runner usage from all workflows
geropl Dec 4, 2025
7f2dcb5
[dev] use ubuntu-latest-16-cores for builds
geropl Dec 5, 2025
1fcaecb
Fix container permissions for GitHub-hosted runners
geropl Dec 5, 2025
d543b64
Fix dev/image build by adding leeway dependency for npm-tools
geropl Dec 5, 2025
fdb7c7b
Fix npm-tools installation permissions in dev/image
geropl Dec 5, 2025
fae8573
[dev] Split builds into branch and main
geropl Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 22 additions & 2 deletions .devcontainer/Dockerfile
View file
Open in desktop
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built the image like:

vscode ➜ /workspaces/workspaces/gitpod (clu/npm-security-hardening) $ docker build -f .devcontainer/Dockerfile .

Original file line number Diff line number Diff line change
Expand Up @@ -334,8 +334,28 @@ ENV HOME=/root
RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \
&& bash -c ". $HOME/.nvm/nvm.sh \
&& nvm install v${NODE_VERSION} \
&& nvm alias default v${NODE_VERSION} \
&& npm install -g typescript yarn pnpm node-gyp @anthropic-ai/claude-code"
&& nvm alias default v${NODE_VERSION}"

# Disable npm/yarn lifecycle scripts by default (security hardening)
# To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
RUN npm config set ignore-scripts true --location=user && \
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this is set for global:

npm config get ignore-scripts --location=global
true

But get an error at the user (default) level:

pm config get ignore-scripts --location=user
npm error code ENOWORKSPACES
npm error This command does not support workspaces.
npm error A complete log of this run can be found in: /root/.npm/_logs/2025-12-03T22_23_34_233Z-debug-0.log

What are we trying to accomplish here? Global makes sense to me, if we're talking a Dockerfile.

Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latter part of the command seems okay:

cat $HOME/.yarnrc 
ignore-scripts true

But, I'm unsure of the former.

echo 'ignore-scripts true' >> ~/.yarnrc

# Disable npx (security hardening - prevents arbitrary package execution)
RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npx is also located as part of the nvm installation, we should remove it from here too:

Evidence:

vscode ➜ /workspaces/workspaces/gitpod (clu/npm-security-hardening) $ docker run -it abe5f93ace01
root / $ nvm which node
/root/.nvm/versions/node/v22.17.0/bin/node
root / $ which npx
/root/.nvm/versions/node/v22.17.0/bin/npx

echo '#!/bin/sh' > /usr/local/bin/npx && \
echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works:

root / $ /usr/local/bin/npx
npx is disabled for security reasons. Use explicit package installation instead.

echo 'exit 1' >> /usr/local/bin/npx && \
chmod +x /usr/local/bin/npx

# Install npm-tools with locked dependencies
COPY dev/npm-tools/package.json dev/npm-tools/package-lock.json /opt/npm-tools/
RUN cd /opt/npm-tools && \
npm ci && \
for bin in /opt/npm-tools/node_modules/.bin/*; do \
ln -sf "$bin" /usr/local/bin/$(basename "$bin"); \
done && \
rm -rf ~/.npm/_cacache

ENV PATH=$PATH:/root/.aws-iam:/root/.terraform:/workspace/bin

Expand Down
2 changes: 1 addition & 1 deletion components/gitpod-db/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"license": "AGPL-3.0",
"version": "0.1.5",
"scripts": {
"build": "npx tsc",
"build": "tsc",
"build:clean": "yarn clean && yarn lint && yarn build",
"lint": "yarn eslint src/*.ts src/**/*.ts",
"lint:fix": "yarn eslint src/*.ts src/**/*.ts --fix",
Expand Down
4 changes: 2 additions & 2 deletions components/server/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
"scripts": {
"start": "node ./dist/main.js",
"start-inspect": "node --inspect=0.0.0.0:9229 ./dist/main.js",
"generate": "leeway run components/spicedb:generate-ts > src/authorization/definitions.ts && npx prettier --write src/authorization/definitions.ts",
"generate": "leeway run components/spicedb:generate-ts > src/authorization/definitions.ts && prettier --write src/authorization/definitions.ts",
"build:clean": "yarn clean && yarn lint && yarn build",
"build": "yarn generate && npx tsc",
"build": "yarn generate && tsc",
"lint": "yarn eslint src/*.ts src/**/*.ts",
"lint:fix": "yarn eslint src/*.ts src/**/*.ts --fix",
"rebuild": "yarn build:clean",
Expand Down
2 changes: 1 addition & 1 deletion components/ws-manager-bridge/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"test": "mocha './**/*.spec.ts' --exclude './node_modules/**' --exit",
"lint": "yarn eslint src/*.ts src/**/*.ts",
"lint:fix": "yarn eslint src/*.ts src/**/*.ts --fix",
"build": "yarn lint && npx tsc",
"build": "yarn lint && tsc",
"build:clean": "yarn clean && yarn build",
"rebuild": "yarn build:clean",
"build:watch": "watch 'yarn build' .",
Expand Down
24 changes: 22 additions & 2 deletions dev/image/Dockerfile
View file
Open in desktop
Copy link
Contributor

@kylos101 kylos101 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file will need improvements similar to what I mentioned in .devcontainer/Dockerfile

Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,30 @@ USER gitpod
# Fix node version we develop against
ARG GITPOD_NODE_VERSION=22.17.0
RUN bash -c ". .nvm/nvm.sh \
&& nvm install $GITPOD_NODE_VERSION \
&& npm install -g typescript yarn @anthropic-ai/claude-code"
&& nvm install $GITPOD_NODE_VERSION"
ENV PATH=/home/gitpod/.nvm/versions/node/v${GITPOD_NODE_VERSION}/bin:$PATH

# Disable npm/yarn lifecycle scripts by default (security hardening)
# To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
RUN npm config set ignore-scripts true --location=user && \
echo 'ignore-scripts true' >> ~/.yarnrc

# Disable npx (security hardening - prevents arbitrary package execution)
RUN sudo rm -f /usr/bin/npx /usr/local/bin/npx && \
echo '#!/bin/sh' | sudo tee /usr/local/bin/npx > /dev/null && \
echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' | sudo tee -a /usr/local/bin/npx > /dev/null && \
echo 'exit 1' | sudo tee -a /usr/local/bin/npx > /dev/null && \
sudo chmod +x /usr/local/bin/npx

# Install npm-tools with locked dependencies
COPY dev/npm-tools/package.json dev/npm-tools/package-lock.json /opt/npm-tools/
RUN cd /opt/npm-tools && \
npm ci && \
for bin in /opt/npm-tools/node_modules/.bin/*; do \
sudo ln -sf "$bin" /usr/local/bin/$(basename "$bin"); \
done && \
rm -rf ~/.npm/_cacache

## Register leeway autocompletion in bashrc
RUN bash -c "echo . \<\(leeway bash-completion\) >> ~/.bashrc"

Expand Down
Loading
Loading