Skip to main content

Node v3 Base Images

· 2 min read

Overview

In our last two changelogs, we announced the automatic blocking of script execution in NPM and Yarn, along with our endorsement of pnpm as the safer, long-term solution for Node package management. pnpm stands out for its built-in tooling that lets developers manage an explicit "allowed list" of dependencies permitted to run post-install scripts.

Introducing Our v3 Images

By default, pnpm respects the ignore-scripts environment variable (NPM_CONFIG_IGNORE_SCRIPTS), which disables all post-install scripts.

This created a conflict:

  • We need to enforce ignore-scripts for NPM and Yarn to maintain security.
  • But we also want pnpm to execute its curated list of safe post-install scripts.

To resolve this, we have released v3 of our Node base images, which make the following changes:

  • Renames npm to npm-unsafe
  • Renames yarn to yarn-unsafe
  • Introduces wrapper scripts for both tools:
    • npm → wraps npm-unsafe and automatically sets NPM_CONFIG_IGNORE_SCRIPTS=true
    • yarn → wraps yarn-unsafe and automatically sets YARN_ENABLE_SCRIPTS=false
  • Removes the ignore-scripts environment variables from the Dockerfile, allowing pnpm to execute its managed, "allowed" list of post-install scripts.

The following disclaimer is automatically added to the top of the output when the npm command is run:

============================================================
⚠️  DISCLAIMER: Package lifecycle scripts are disabled ⚠️
============================================================

Environment variable enforced:
  NPM_CONFIG_IGNORE_SCRIPTS=true

Scripts will NOT run during npm install.

If you need to bypass this restriction (not recommended),
you must explicitly invoke:

  npm-unsafe <command>

⚠️  WARNING: Running with npm-unsafe allows untrusted scripts
    to execute and may compromise your system.

------------------------------------------------------------
From the Skpr Platform Team
============================================================
  • Adopt pnpm for your development projects as the preferred package manager.
  • Upgrade to v3 of the Node base images, which enable pnpm to safely execute its managed list of post-install scripts.

But I Really Want to Use NPM and/or Yarn

If absolutely necessary (though not recommended), development teams can opt out by explicitly using:

  • npm-unsafe
  • yarn-unsafe

Resources