From b741b02408cde13fda682b5fb376926eefc250d5 Mon Sep 17 00:00:00 2001
From: docker-claude <user@docker-claude.local>
Date: Mon, 20 Apr 2026 16:37:00 +0200
Subject: [PATCH] fix(dockerfile): scrub npm auth tokens written during image
 build

npm automatically picks up GITHUB_TOKEN / NPM_TOKEN from the build
environment and writes them as _authToken entries in /root/.npmrc and
/usr/local/etc/npmrc during 'npm install -g'.  Add a cleanup RUN step
that removes any npmrc file containing auth tokens before the image is
finalised, and explicitly deletes the two most common registry auth
keys via 'npm config delete'.

Also add .npmrc to .dockerignore as an extra guard against accidentally
COPY-ing a local credential file into the build context.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .dockerignore     | 1 +
 claude.sh         | 0
 claude/Dockerfile | 9 +++++++++
 hooks/pre-commit  | 0
 launch.sh         | 0
 setup.sh          | 0
 6 files changed, 10 insertions(+)
 mode change 100644 => 100755 claude.sh
 mode change 100644 => 100755 hooks/pre-commit
 mode change 100644 => 100755 launch.sh
 mode change 100644 => 100755 setup.sh

diff --git a/.dockerignore b/.dockerignore
index ba76e9d..fc75c26 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,5 @@
 .env
+.npmrc
 *.log
 .git
 README.md
diff --git a/claude.sh b/claude.sh
old mode 100644
new mode 100755
diff --git a/claude/Dockerfile b/claude/Dockerfile
index fdcccec..9626ff5 100644
--- a/claude/Dockerfile
+++ b/claude/Dockerfile
@@ -62,6 +62,15 @@ RUN for pkg_dir in \
       || true; \
   done
 
+# Remove any npm auth credentials written during install.
+# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment
+# and persists them in .npmrc files — scrub all of them before the image is finalised.
+RUN find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \
+      | xargs grep -l "_authToken\|_auth\b" 2>/dev/null \
+      | xargs rm -f 2>/dev/null || true \
+  && npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null || true \
+  && npm config delete //registry.npmjs.org/:_authToken 2>/dev/null || true
+
 # Workspace and Claude config dir — owned by the built-in node user (uid 1000).
 # Pre-creating ~/.claude ensures the named volume is initialised with the
 # correct ownership when first mounted (Docker copies image content into
diff --git a/hooks/pre-commit b/hooks/pre-commit
old mode 100644
new mode 100755
diff --git a/launch.sh b/launch.sh
old mode 100644
new mode 100755
diff --git a/setup.sh b/setup.sh
old mode 100644
new mode 100755