From f98e706127f4c5b15a4c1b44b18195f5faa48420 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Thu, 4 Dec 2025 15:53:34 +0000
Subject: [PATCH 1/2] Disable npm lifecycle scripts and npx for security

- Create Dockerfile with ignore-scripts configuration for npm/yarn
- Disable npx with informative error message
- Update devcontainer.json to use the new Dockerfile

Fixes PDE-183

Co-authored-by: Ona <no-reply@ona.com>
---
 .devcontainer/Dockerfile        | 12 ++++++++++++
 .devcontainer/devcontainer.json |  4 +++-
 CONTRIBUTING.md                 |  3 ++-
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 .devcontainer/Dockerfile

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
new file mode 100644
index 0000000..8cf3267
--- /dev/null
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,12 @@
+FROM mcr.microsoft.com/devcontainers/typescript-node:latest
+
+# Disable npm/yarn lifecycle scripts for security
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx for security
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 43fd5a7..34c041d 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,7 +2,9 @@
 // README at: https://github.com/devcontainers/templates/tree/main/src/debian
 {
   "name": "Development",
-  "image": "mcr.microsoft.com/devcontainers/typescript-node:latest",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {}
   },
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 60cc611..b3703f0 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -68,7 +68,8 @@ $ pnpm link -—global @gitpod/sdk
 Most tests require you to [set up a mock server](https://github.com/stoplightio/prism) against the OpenAPI spec to run the tests.
 
 ```sh
-$ npx prism mock path/to/your/openapi.yml
+$ yarn add -D @stoplight/prism-cli
+$ yarn prism mock path/to/your/openapi.yml
 ```
 
 ```sh

From ed247b599706ffa3fdf4980d03a2b954abe69c55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jes=C3=BAs=20Espino?= <jespinog@gmail.com>
Date: Thu, 4 Dec 2025 16:24:42 +0000
Subject: [PATCH 2/2] Pin npm dependencies using yarn --frozen-lockfile

Use yarn install --frozen-lockfile to ensure dependencies are installed
from the lock file.

Fixes PDE-190

Co-authored-by: Ona <no-reply@ona.com>
---
 .devcontainer/devcontainer.json   | 2 +-
 .github/workflows/publish-npm.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 34c041d..606e9e7 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -8,7 +8,7 @@
   "features": {
     "ghcr.io/devcontainers/features/node:1": {}
   },
-  "postCreateCommand": "yarn install",
+  "postCreateCommand": "yarn install --frozen-lockfile",
   "customizations": {
     "vscode": {
       "extensions": ["esbenp.prettier-vscode"]
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 9d34b14..3898f46 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -23,7 +23,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          yarn install
+          yarn install --frozen-lockfile
 
       - name: Publish to NPM
         run: |