Apply install-script allowlist to Dockerfile npm ci #69
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#69
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up from #16 (see ADR-0014 "Consequences").
The CI install-script policy from #46 / ADR-0010 blocks lifecycle scripts on every
npm ciin.forgejo/workflows/pr.ymland runs only the packages allowlisted inpackage.jsonunderlavamoat.allowScripts. TheRUN npm ciline inside the multi-stageDockerfileis not covered — lifecycle scripts on the production image build run unrestricted.A compromised transitive dep that survived the PR-time gates (Renovate quarantine, OSV/Trivy scan, npm audit) could still execute a malicious
postinstallduring the release image build and bake the result into what self-hosters pull.Scope
Dockerfiledepsstage to install with--ignore-scriptsthen runnpx allow-scripts, mirroring the workflow pattern.builderandruntimestages don't regress this (today onlydepsdoes the install;builderreusesnode_modulesfromdepsviaCOPY --from=deps).next>sharp,vitest>vite>esbuild, andeslint-config-next>...>unrs-resolverallowlist entries must apply during the Docker build too — verify thenpx allow-scriptsinvocation finds them inside the build container.lefthookentry in the allowlist is local-dev-only (postinstall short-circuits whenCI=true); confirm it doesn't break the Docker build, where neitherCI=truenor.gitis necessarily present.Acceptance criteria
docker build .produces an image whose runtime layer matches today's image bit-for-bit (modulo the layer that ran the install step), confirming the allowlist correctly ran the needed native-binding scripts and skipped everything else.postinstallinto a leaf dep and confirming the build fails with theallow-scripts"missing configuration" error) demonstrates the gate works inside the container.Dockerfileinstall policy is documented indocs/ci.md"Install scripts (allowlisted)" — at minimum a sentence saying the same policy now applies to both PR runs and the release build, with the consequence that adding a new install-script dep needs the allowlist update before the next tag.Part of epic #2.