From 3bd9ea8ee76b8b2400c9e1ac523ace76ed8a9120 Mon Sep 17 00:00:00 2001
From: Karl Isenberg <karlisenberg@google.com>
Date: Mon, 5 Feb 2024 11:02:43 -0800
Subject: [PATCH] chore: pin dev deps in the dev container

Copy package.json and package-lock.json into the site dev container
and use them to pin the versions and checksums for autoprefixer,
postcss-cli, and their dependencies.

This should help reduce risk of importing newer dependency versions
that haven't passed vulnerability checks.
---
 site/Dockerfile | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/site/Dockerfile b/site/Dockerfile
index 18fe2f594..3b68e10bd 100644
--- a/site/Dockerfile
+++ b/site/Dockerfile
@@ -28,8 +28,14 @@ RUN apk add --no-cache \
     git \
     openssh-client \
     rsync \
-    npm && \
-    npm install -D autoprefixer postcss-cli
+    npm
+
+RUN mkdir -p /usr/local/node_packages
+WORKDIR /usr/local/node_packages
+COPY package.json ./
+COPY package-lock.json ./
+RUN npm install -D autoprefixer postcss-cli
+ENV PATH="/usr/local/node_packages/node_modules/.bin:${PATH}"
 
 RUN mkdir -p /var/hugo && \
     addgroup -Sg 1000 hugo && \