Passing virus scans

I’ve built my own docker image of Theia. While conducting some virus scans over the image, one of the javascript files gets flagged as containing a possible html exploit. Specifically it’s the file at /home/theia/lib/bundle.js if you’re using the theiaide/theia-full image. If only the node_modules folder were passed through a firewall, is there a simple way to reconstruct all files in the lib directory offline?

[original thread by Josh Bradley]

Hi Joshua. One option would be to have your own local npm registry and use that instead of the default public one.

A simpler way for one to achieve an offline Theia build (see “The Yarn Alternative” section towards the end": https://spin.atomicobject.com/2016/12/16/reproducible-builds-npm-yarn/

not sure however if this would work with a few of our dependencies that download extra stuff after install, like e.g. ripgrep

[Josh Bradley]

This would be the ideal approach and is something I tried with a local npm registry. Unfortunately some vscode dependencies rely on binaries hosted on github and ultimately I never got it to work. This pushed me to build Theia using the public npm registry instead.

[Josh Bradley]

By design, I expected yarn theia rebuild to reconstruct all necessary files while offline. I should be able to copy node_modules anywhere, disconnect from the internet, and rebuild. If you delete the lib folder, and run the rebuild command, it passes successfully because all extensions exist in node_modules even though other supporting directories are corrupt.