fix(dockerfile): scrub npm auth tokens written during image build

Browse source

npm automatically picks up GITHUB_TOKEN / NPM_TOKEN from the build
environment and writes them as _authToken entries in /root/.npmrc and
/usr/local/etc/npmrc during 'npm install -g'.  Add a cleanup RUN step
that removes any npmrc file containing auth tokens before the image is
finalised, and explicitly deletes the two most common registry auth
keys via 'npm config delete'.

Also add .npmrc to .dockerignore as an extra guard against accidentally
COPY-ing a local credential file into the build context.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

...

This commit is contained in:

docker-claude 2026-04-20 16:37:00 +02:00

parent 12d75b0dc2

commit b741b02408

6 changed files with 10 additions and 0 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

0

claude.sh Normal file → Executable file

Unescape Escape View file