From 9e02ab69917893d67b777e2230a309dd38e07273 Mon Sep 17 00:00:00 2001
From: Michael Kriese <michael.kriese@visualon.de>
Date: Thu, 20 Feb 2025 10:41:29 +0100
Subject: [PATCH] build: restrict postinstall scripts (#34339)

---
 package.json            |  4 ++++
 tools/docker/Dockerfile | 16 +++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/package.json b/package.json
index 3c231c714d..0a109fab0f 100644
--- a/package.json
+++ b/package.json
@@ -364,6 +364,10 @@
       "mv",
       "safe-json-stringify"
     ],
+    "onlyBuiltDependencies": [
+      "better-sqlite3",
+      "re2"
+    ],
     "overrides": {
       "@semantic-release/github>@octokit/plugin-paginate-rest": "11.4.1"
     }
diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
index 90d5b69406..26c9efbae5 100644
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@@ -51,30 +51,32 @@ RUN set -ex; \
   cp ${temp_dir}/bin/node ./node; \
   true
 
-# fetch npm packages
+# prepare pnpm env
 ENV CI=1 npm_config_modules_cache_max_age=0 \
   npm_config_loglevel=info
 
-
 # replace `amd64` with `x64` for `node`
 ENV ARCH=${TARGETARCH/amd64/x64}
-
-COPY --link pnpm-lock.yaml ./
-
 # set `npm_config_arch` for `prebuild-install`
 # set `npm_config_platform_arch` for `install-artifact-from-github`
 ENV npm_config_arch=${ARCH} npm_config_platform_arch=${ARCH}
 
+COPY --link pnpm-lock.yaml ./
+
 # only fetch deps from lockfile https://pnpm.io/cli/fetch
 RUN set -ex; \
-  pnpm fetch --prod; \
+  pnpm fetch --prod --ignore-scripts; \
   true
 
 COPY --link . ./
 
+# disable prepare script
+RUN sed -i -e "s/run-s 'prepare:\*'/true/" package.json
+
 # install npm packages
 RUN set -ex; \
-  pnpm install --prod --offline --ignore-scripts; \
+  pnpm install --prod --offline; \
+  pnpm rebuild; \
   true
 
 # --------------------------------------
-- 
GitLab