The blogpost and this repo haven't moved any lines. Nobody at npm cares enough to explore this direction, so lifecycle contained (docker or something else) by default won't happen anytime soon.
It seems that the threat npm is interested in is malicious packages being distributed via npm. The threat I care about is my machine being infected by such a package when one slips through.
This work will remain an opt-in for the time being.
This work is worthless is used by no one. I'll use it myself and do anything reasonable for others to be able to use it as well
- Put the contained versions somewhere
- Add this somewhere to the
$PATH - Make that
nodepoints to the contained version andunsafe-nodeto the uncontained version. Same fornpm. - Make the Docker image use the host
node/npmexecutables (let's try as :ro) so that there are always in sync; no need to upgrade the docker image. - Make the docker image and publish it to the docker hub
- Make that created files are chown'ed by the current user and not
root(there might be a uid trick of some kind)
Pretty much done. Remaining:
- .npm
- .npmrc
Need some way to provide additional caps (certainly via docker-compose + extends. Need to figure out how in a way that's maintainable)