diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
new file mode 100644
index 0000000..8cf3267
--- /dev/null
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,12 @@
+FROM mcr.microsoft.com/devcontainers/typescript-node:latest
+
+# Disable npm/yarn lifecycle scripts for security
+RUN npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx for security
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 43fd5a7..34c041d 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,7 +2,9 @@
 // README at: https://github.com/devcontainers/templates/tree/main/src/debian
 {
   "name": "Development",
-  "image": "mcr.microsoft.com/devcontainers/typescript-node:latest",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {}
   },
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 60cc611..b3703f0 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -68,7 +68,8 @@ $ pnpm link -—global @gitpod/sdk
 Most tests require you to [set up a mock server](https://github.com/stoplightio/prism) against the OpenAPI spec to run the tests.
 
 ```sh
-$ npx prism mock path/to/your/openapi.yml
+$ yarn add -D @stoplight/prism-cli
+$ yarn prism mock path/to/your/openapi.yml
 ```
 
 ```sh