feat: Enhance security in Dockerfile by configuring npm to delay new publishes and block lifecycle scripts

aligneddev · aligneddev · commit 478cb049be5a · 2026-04-01T10:20:52.000-05:00
diff --git a/.devcontainer/devcontainer.Dockerfile b/.devcontainer/devcontainer.Dockerfile
@@ -17,7 +17,10 @@ RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/s
   && apt-get update \
   && apt-get install -y --no-install-recommends podman nodejs \
   && rm -rf /var/lib/apt/lists/* \
-  && npm --version
+  && npm --version \
+  # Security hardening: delay installing very new publishes and block lifecycle scripts by default.
+  && npm config set --global min-release-age 1440 \
+  && npm config set --global ignore-scripts true
 
 # Ensure the SDK version from global.json is available in the image.
 RUN if dotnet --list-sdks | grep -q "^${REQUIRED_DOTNET_SDK_VERSION}"; then \
diff --git a/src/BikeTracking.Frontend/.npmrc b/src/BikeTracking.Frontend/.npmrc
@@ -0,0 +1,4 @@
+# Project-local npm hardening.
+# This complements the container's global npm config and can be tuned per-repo.
+min-release-age=1440
+ignore-scripts=true
