Skip to content

ci: add npmrc file for bkc#3260

Open
rsdmike wants to merge 1 commit intomainfrom
ciNpmInstall
Open

ci: add npmrc file for bkc#3260
rsdmike wants to merge 1 commit intomainfrom
ciNpmInstall

Conversation

@rsdmike
Copy link
Copy Markdown
Member

@rsdmike rsdmike commented Apr 13, 2026

PR Checklist

  • Unit Tests have been added for new changes
  • API tests have been updated if applicable
  • All commented code has been removed
  • If you've added a dependency, you've ensured license is compatible with Apache 2.0 and clearly outlined the added dependency.

What are you changing?

Anything the reviewer should know when reviewing this PR?

If the there are associated PRs in other repositories, please link them here (i.e. device-management-toolkit/repo#365 )

Copilot AI review requested due to automatic review settings April 13, 2026 21:40
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR appears to introduce an .npmrc and update the Docker build to use it, aiming to apply npm “best known configuration” (BKC) settings during container builds.

Changes:

  • Add a new root-level .npmrc with npm config flags (including ignore-scripts=true)
  • Update Dockerfile to copy .npmrc into the build stage
  • Change Docker build dependency installation to npm ci --ignore-scripts

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Dockerfile Copies .npmrc into the build stage and installs deps with scripts disabled
.npmrc Adds npm configuration intended for hardened installs (e.g., ignoring scripts)

Comment thread Dockerfile
COPY package.json package-lock.json ./
RUN npm ci
COPY package.json package-lock.json .npmrc ./
RUN npm ci --ignore-scripts
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm ci --ignore-scripts will skip dependency install scripts needed for the build. This repo depends on esbuild which has hasInstallScript: true in package-lock.json (required to set up the platform binary), so the subsequent npm run build is very likely to fail at runtime. Consider allowing install scripts during the image build, or only disabling scripts selectively for known-safe scenarios rather than globally for the whole install step.

Suggested change
RUN npm ci --ignore-scripts
RUN npm ci

Copilot uses AI. Check for mistakes.
Comment thread .npmrc
@@ -0,0 +1,3 @@
ignore-scripts=true
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting ignore-scripts=true at the repo root will disable install scripts for all npm install/ci runs (including local dev and CI). This project’s dependency tree includes packages like esbuild with hasInstallScript: true in package-lock.json, so globally ignoring scripts can break installs/builds. If the goal is a hardened CI setting, consider scoping this to the container/CI environment rather than committing it as a global .npmrc.

Suggested change
ignore-scripts=true

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rsdmike