fix(dockerfile): scrub npm auth tokens written during image build

npm automatically picks up GITHUB_TOKEN / NPM_TOKEN from the build environment and writes them as _authToken entries in /root/.npmrc and /usr/local/etc/npmrc during 'npm install -g'. Add a cleanup RUN step that removes any npmrc file containing auth tokens before the image is finalised, and explicitly deletes the two most common registry auth keys via 'npm config delete'. Also add .npmrc to .dockerignore as an extra guard against accidentally COPY-ing a local credential file into the build context. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 16:37:00 +02:00 · 2026-04-20 16:37:00 +02:00 · b741b02408
commit b741b02408
parent 12d75b0dc2
6 changed files with 10 additions and 0 deletions
--- a/claude/Dockerfile
+++ b/claude/Dockerfile
@ -62,6 +62,15 @@ RUN for pkg_dir in \
      || true; \
  done

+# Remove any npm auth credentials written during install.
+# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment
+# and persists them in .npmrc files — scrub all of them before the image is finalised.
+RUN find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \
+      | xargs grep -l "_authToken\|_auth\b" 2>/dev/null \
+      | xargs rm -f 2>/dev/null || true \
+  && npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null || true \
+  && npm config delete //registry.npmjs.org/:_authToken 2>/dev/null || true
+
 # Workspace and Claude config dir — owned by the built-in node user (uid 1000).
 # Pre-creating ~/.claude ensures the named volume is initialised with the
 # correct ownership when first mounted (Docker copies image content into