root: bind-mount .npmrc into Dockerfile npm ci stages (#22462)

GirlBossRush · playpen-agent · web-flow · commit c0d0bffae0d1 · 2026-05-21T13:39:49.000+02:00
* root: bind-mount .npmrc into Dockerfile npm ci stages

`npm` walks up from cwd looking for `.npmrc`. The two Dockerfiles that
run `npm ci` (`lifecycle/container/Dockerfile` for the web build and
`website/Dockerfile` for the docs build) bind-mount package.json /
package-lock.json into the build context, but not `.npmrc`. As a result
the project-level settings — most importantly `ignore-scripts=true` —
are not honored inside the container, so a hypothetical malicious
package's preinstall/postinstall hook would execute during the image
build.

Adding `--mount=type=bind,target=/work/.npmrc,src=./.npmrc` to each
`npm ci` step closes that gap. The mount is read-only and only present
for the install step, so it adds no layer weight.

Co-authored-by: Agent &lt;279763771+playpen-agent@users.noreply.github.com&gt;

* Update bindmount.

---------

Co-authored-by: Agent &lt;279763771+playpen-agent@users.noreply.github.com&gt;
diff --git a/lifecycle/container/Dockerfile b/lifecycle/container/Dockerfile
@@ -24,7 +24,8 @@ WORKDIR /work/web
 COPY ./packages /work/packages
 COPY ./web/packages /work/web/packages
 
-RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
+RUN --mount=type=bind,target=/work/.npmrc,src=./.npmrc \
+    --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
diff --git a/lifecycle/container/proxy.Dockerfile b/lifecycle/container/proxy.Dockerfile
@@ -21,7 +21,8 @@ RUN --mount=type=bind,target=/static/package.json,src=./package.json \
 
 COPY package.json /
 
-RUN --mount=type=bind,target=/static/package.json,src=./web/package.json \
+RUN --mount=type=bind,target=/static/.npmrc,src=./.npmrc \
+    --mount=type=bind,target=/static/package.json,src=./web/package.json \
     --mount=type=bind,target=/static/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/static/scripts,src=./web/scripts \
     --mount=type=cache,target=/root/.npm \
diff --git a/website/Dockerfile b/website/Dockerfile
@@ -17,7 +17,8 @@ RUN --mount=type=bind,target=/work/package.json,src=./package.json \
     node ./scripts/node/setup-corepack.mjs --force && \
     node ./scripts/node/lint-runtime.mjs ./website
 
-RUN --mount=type=bind,target=/work/package.json,src=./package.json \
+RUN --mount=type=bind,target=/work/.npmrc,src=./.npmrc \
+    --mount=type=bind,target=/work/package.json,src=./package.json \
     --mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
     --mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
     --mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
