Disable npm lifecycle scripts and npx for security

- Create Dockerfile with ignore-scripts configuration for npm/yarn
- Disable npx with informative error message
- Update devcontainer.json to use the new Dockerfile

Fixes PDE-183

Co-authored-by: Ona <no-reply@ona.com>

Author: jespino

.devcontainer/Dockerfile

@@ -0,0 +1,12 @@
+FROM mcr.microsoft.com/devcontainers/typescript-node:latest
+
+# Disable npm/yarn lifecycle scripts for security
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx for security
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx

.devcontainer/devcontainer.json

@@ -2,7 +2,9 @@
 // README at: https://github.com/devcontainers/templates/tree/main/src/debian
 {
   "name": "Development",
-  "image": "mcr.microsoft.com/devcontainers/typescript-node:latest",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {}
   },