Remove non-deterministic npm install -g npm from devcontainer Dockerfile#956
Merged
decyjphr merged 3 commits intomain-enterprisefrom Mar 30, 2026
Merged
Conversation
…r Dockerfile Agent-Logs-Url: https://github.com/github/safe-settings/sessions/0af97764-5b14-4195-ad8a-6b8adf723453 Co-authored-by: decyjphr <57544838+decyjphr@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/safe-settings/sessions/0af97764-5b14-4195-ad8a-6b8adf723453 Co-authored-by: decyjphr <57544838+decyjphr@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix code scanning alert 129
Remove non-deterministic Mar 30, 2026
npm install -g npm from devcontainer Dockerfile
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves devcontainer build reproducibility by removing an unpinned global npm upgrade step that could change across rebuilds, aligning the dev environment with deterministic build expectations.
Changes:
- Removed
RUN npm install -g npmfrom the devcontainer Dockerfile to avoid non-deterministic npm version updates. - Corrected a comment typo (
Intall→Install).
Comments suppressed due to low confidence (1)
.devcontainer/Dockerfile:22
- The AWS CLI install step fetches a moving target (no version pin) and doesn’t verify an expected checksum/signature. That keeps the devcontainer build non-reproducible and increases supply-chain risk; consider pinning an explicit AWS CLI version (and verifying its checksum) to make rebuilds deterministic.
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" && \
unzip awscliv2.zip && \
sudo ./aws/install && \
rm -rf ./aws && \
rm awscliv2.zip
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Code scanning flagged
RUN npm install -g npmin.devcontainer/Dockerfileas non-deterministic — without a pinned version, each rebuild may pull a different npm version, violating reproducible build requirements.Changes
.devcontainer/Dockerfile: RemovedRUN npm install -g npm. The base imagemcr.microsoft.com/devcontainers/javascript-node:1-22-bookwormalready ships with npm; the unpinned global update is redundant and non-deterministic.Intall→InstallThe production
Dockerfilealready correctly usesnpm cifor dependency installation and was not affected.