Node v3 Base Images
Overview
In our last two changelogs, we announced the automatic blocking of script execution in NPM and Yarn, along with our endorsement of pnpm as the safer, long-term solution for Node package management. pnpm stands out for its built-in tooling that lets developers manage an explicit "allowed list" of dependencies permitted to run post-install scripts.
Introducing Our v3 Images
By default, pnpm respects the ignore-scripts environment variable (NPM_CONFIG_IGNORE_SCRIPTS
), which disables all post-install scripts.
This created a conflict:
- We need to enforce ignore-scripts for NPM and Yarn to maintain security.
- But we also want pnpm to execute its curated list of safe post-install scripts.
To resolve this, we have released v3 of our Node base images, which make the following changes:
- Renames
npm
tonpm-unsafe
- Renames
yarn
toyarn-unsafe
- Introduces wrapper scripts for both tools:
npm
→ wrapsnpm-unsafe
and automatically setsNPM_CONFIG_IGNORE_SCRIPTS=true
yarn
→ wrapsyarn-unsafe
and automatically setsYARN_ENABLE_SCRIPTS=false
- Removes the ignore-scripts environment variables from the Dockerfile, allowing pnpm to execute its managed, "allowed" list of post-install scripts.
The following disclaimer is automatically added to the top of the output when the npm command is run:
============================================================
⚠️ DISCLAIMER: Package lifecycle scripts are disabled ⚠️
============================================================
Environment variable enforced:
NPM_CONFIG_IGNORE_SCRIPTS=true
Scripts will NOT run during npm install.
If you need to bypass this restriction (not recommended),
you must explicitly invoke:
npm-unsafe <command>
⚠️ WARNING: Running with npm-unsafe allows untrusted scripts
to execute and may compromise your system.
------------------------------------------------------------
From the Skpr Platform Team
============================================================
Recommended Upgrade Path
- Adopt pnpm for your development projects as the preferred package manager.
- Upgrade to v3 of the Node base images, which enable pnpm to safely execute its managed list of post-install scripts.
But I Really Want to Use NPM and/or Yarn
If absolutely necessary (though not recommended), development teams can opt out by explicitly using:
npm-unsafe
yarn-unsafe