Skip to main content

Node v3 Base Images

· 2 min read
Skpr Platform Team
Skpr Platform Team
Platform Engineering

Overview

In our last two changelogs, we announced the automatic blocking of script execution in NPM and Yarn, along with our endorsement of pnpm as the safer, long-term solution for Node package management. pnpm stands out for its built-in tooling that lets developers manage an explicit "allowed list" of dependencies permitted to run post-install scripts.

Introducing Our v3 Images

By default, pnpm respects the ignore-scripts environment variable (NPM_CONFIG_IGNORE_SCRIPTS), which disables all post-install scripts.

This created a conflict:

  • We need to enforce ignore-scripts for NPM and Yarn to maintain security.
  • But we also want pnpm to execute its curated list of safe post-install scripts.

To resolve this, we have released v3 of our Node base images, which make the following changes:

  • Renames npm to npm-unsafe
  • Renames yarn to yarn-unsafe
  • Introduces wrapper scripts for both tools:
    • npm → wraps npm-unsafe and automatically sets NPM_CONFIG_IGNORE_SCRIPTS=true
    • yarn → wraps yarn-unsafe and automatically sets YARN_ENABLE_SCRIPTS=false
  • Removes the ignore-scripts environment variables from the Dockerfile, allowing pnpm to execute its managed, "allowed" list of post-install scripts.

The following disclaimer is automatically added to the top of the output when the npm command is run:

============================================================
⚠️  DISCLAIMER: Package lifecycle scripts are disabled ⚠️
============================================================

Environment variable enforced:
  NPM_CONFIG_IGNORE_SCRIPTS=true

Scripts will NOT run during npm install.

If you need to bypass this restriction (not recommended),
you must explicitly invoke:

  npm-unsafe <command>

⚠️  WARNING: Running with npm-unsafe allows untrusted scripts
    to execute and may compromise your system.

------------------------------------------------------------
From the Skpr Platform Team
============================================================
  • Adopt pnpm for your development projects as the preferred package manager.
  • Upgrade to v3 of the Node base images, which enable pnpm to safely execute its managed list of post-install scripts.

But I Really Want to Use NPM and/or Yarn

If absolutely necessary (though not recommended), development teams can opt out by explicitly using:

  • npm-unsafe
  • yarn-unsafe

Resources