From 2712f30382d627f5e04c09b4bb36c692e71996e2 Mon Sep 17 00:00:00 2001
From: Matthias Mair <code@mjmair.com>
Date: Fri, 4 Apr 2025 00:04:06 +0200
Subject: [PATCH] fix: ci security issues (#9451)

* fix possible code injection errors

* pin n
---
 .devcontainer/Dockerfile          |  2 +-
 .github/actions/setup/action.yaml | 10 +++++++---
 contrib/container/Dockerfile      |  4 ++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index a847b4c232..e22342def0 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -34,7 +34,7 @@ RUN apt install -y \
    yarn nodejs npm
 
 # Update to the latest stable node version
-RUN npm install -g n --ignore-scripts && n lts
+RUN npm install -g n@10.1.0 --ignore-scripts && n lts
 
 RUN yarn config set network-timeout 600000 -g
 
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
index 4f052e630a..ae42c5340c 100644
--- a/.github/actions/setup/action.yaml
+++ b/.github/actions/setup/action.yaml
@@ -64,7 +64,9 @@ runs:
       - name: Install Specific Python Dependencies
         if: ${{ inputs.pip-dependency }}
         shell: bash
-        run: uv pip install ${{ inputs.pip-dependency }}
+        run: uv pip install ${PIP_DEPS}
+        env:
+          PIP_DEPS: ${{ inputs.pip-dependency }}
 
       # NPM installs
       - name: Install node.js ${{ env.node_version }}
@@ -78,8 +80,10 @@ runs:
         shell: bash
         run: |
           sudo apt-get update
-          sudo apt-get install ${{ inputs.apt-dependency }}
-          sudo apt-get install ${{ inputs.apt-dependency }}
+          sudo apt-get install ${APT_DEPS}
+          sudo apt-get install ${APT_DEPS}
+        env:
+          APT_DEPS: ${{ inputs.apt-dependency }}
 
       # Invoke commands
       - name: Install dev requirements
diff --git a/contrib/container/Dockerfile b/contrib/container/Dockerfile
index 8da5baee12..5c37404c5b 100644
--- a/contrib/container/Dockerfile
+++ b/contrib/container/Dockerfile
@@ -108,7 +108,7 @@ RUN ./install_build_packages.sh --no-cache --virtual .build-deps && \
 FROM prebuild AS frontend
 
 RUN apk add --no-cache --update nodejs npm yarn bash
-RUN npm install -g --ignore-scripts n
+RUN npm install -g --ignore-scripts n@10.1.0
 RUN bash -c "n lts"
 RUN yarn config set network-timeout 600000 -g
 COPY src ${INVENTREE_HOME}/src
@@ -152,7 +152,7 @@ RUN pip install --require-hashes -r base_requirements.txt --no-cache
 # Install nodejs / npm / yarn
 
 RUN apk add --no-cache --update nodejs npm yarn bash
-RUN npm install -g --ignore-scripts n
+RUN npm install -g --ignore-scripts n@10.1.0
 RUN bash -c "n lts"
 RUN yarn config set network-timeout 600000 -g