Disable npm lifecycle scripts and npx for security (#71)

* Disable npm lifecycle scripts and npx for security

- Create Dockerfile with ignore-scripts configuration for npm/yarn
- Disable npx with informative error message
- Update devcontainer.json to use the new Dockerfile

Fixes PDE-183

Co-authored-by: Ona <[email protected]>

* Use dynamic npx path detection instead of hardcoded paths

Replace hardcoded /usr/bin/npx and /usr/local/bin/npx with $(which npx)
to handle different npx installation locations.

Co-authored-by: Ona <[email protected]>

* Trying with postCreateCommand

Co-authored-by: Ona <[email protected]>

---------

Co-authored-by: Ona <[email protected]>

Author: jespino

.devcontainer/Dockerfile

@@ -3,10 +3,3 @@ FROM mcr.microsoft.com/devcontainers/typescript-node:latest
 # Disable npm/yarn lifecycle scripts for security
 RUN npm config set ignore-scripts true --location=user && \
     echo 'ignore-scripts true' >> ~/.yarnrc
-
-# Disable npx for security
-RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
-    echo '#!/bin/sh' > /usr/local/bin/npx && \
-    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
-    echo 'exit 1' >> /usr/local/bin/npx && \
-    chmod +x /usr/local/bin/npx

.devcontainer/devcontainer.json

@@ -8,7 +8,7 @@
   "features": {
     "ghcr.io/devcontainers/features/node:1": {}
   },
-  "postCreateCommand": "yarn install --frozen-lockfile",
+  "postCreateCommand": "NPX_PATH=$(which npx) && rm -f \"$NPX_PATH\" && echo '#!/bin/sh' > \"$NPX_PATH\" && echo 'echo \"npx is disabled for security reasons. Use explicit package installation instead.\" >&2' >> \"$NPX_PATH\" && echo 'exit 1' >> \"$NPX_PATH\" && chmod +x \"$NPX_PATH\" && yarn install --frozen-lockfile",
   "customizations": {
     "vscode": {
       "extensions": ["esbenp.prettier-vscode"]