Block npx and disable npm scripts in devcontainer (#215)

* Block npx and disable npm scripts in devcontainer

Add security hardening to the devcontainer by:
- Disabling npx command to prevent arbitrary package execution
- Setting ignore-scripts=true for npm and yarn to block lifecycle scripts

This prevents potential security risks from running untrusted scripts
during package installation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Replace npx puppeteer with global install in CI workflow

Install puppeteer globally using npm -g before calling it directly,
since npx is being disabled for security reasons.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* pin npm deps

* Fix

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Jean Pierre <jeanp413@hotmail.com>

Author: 3 people

.devcontainer/Dockerfile

@@ -7,8 +7,8 @@
 	// Use "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
 	// instead of the build to use a pre-built image.
 	"build": {
-		"context": ".",
-		"dockerfile": "Dockerfile"
+        "context": "../dev",
+        "dockerfile": "../dev/Dockerfile"
 	},
 	"features": {
 		"ghcr.io/devcontainers/features/node:1": {
@@ -21,4 +21,4 @@
 		}
 	},
 	"privileged": true
-}
+}

.devcontainer/devcontainer.json

@@ -19,9 +19,9 @@ jobs:
           cache: "pnpm"
       - name: Install dependencies
         run: |
-          pnpm install
-          npx puppeteer browsers install
-          cd test && pnpm install
+          pnpm install --frozen-lockfile
+          pnpm run puppeteer-install
+          cd test && pnpm install --frozen-lockfile
       - name: Build the extension
         run: pnpm build
       - name: Run tests

.github/workflows/test.yml

@@ -0,0 +1,30 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
+
+# Install Node.js and npm
+RUN apt-get update && apt-get install -y curl && \
+    curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
+    apt-get install -y nodejs && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install global npm packages
+COPY npm-tools/package.json npm-tools/package-lock.json /opt/npm-tools/
+RUN cd /opt/npm-tools && \
+    npm ci && \
+    # Create symlinks for all binaries in node_modules/.bin
+    for bin in /opt/npm-tools/node_modules/.bin/*; do \
+        ln -sf "$bin" /usr/local/bin/$(basename "$bin"); \
+    done && \
+    # Cleanup npm cache
+    rm -rf ~/.npm/_cacache
+
+# Disable npm/yarn lifecycle scripts by default (security hardening)
+# To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx (security hardening - prevents arbitrary package execution)
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx