Created
January 15, 2026 19:19
-
-
Save w3cj/0b6d2c619e59768f592e1c7e8ec4cb93 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "base-setup", | |
| "image": "mcr.microsoft.com/devcontainers/javascript-node:1-22-bookworm", | |
| "features": { | |
| "ghcr.io/devcontainers/features/common-utils:2": { | |
| "installOhMyZsh": true, | |
| "configureZshAsDefaultShell": true | |
| }, | |
| "ghcr.io/devcontainers/features/docker-in-docker:2": {}, | |
| "ghcr.io/devcontainers/features/sshd:1": {} | |
| }, | |
| "workspaceMount": "source=/path/to/the/project/you/want/to/work/in/here,target=/workspace,type=bind", | |
| "workspaceFolder": "/workspace", | |
| "customizations": { | |
| "vscode": { | |
| "settings": {}, | |
| "extensions": [] | |
| } | |
| }, | |
| "remoteUser": "node" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@w3cj Hi CJ! Found my way here via the Syntax video on Dev Containers, thanks for all the great work and contributions there.
I’m now using Dev Containers myself as a "glovebox" to stay safe from npm exploits, but I worry about "lab leaks"... i.e. accidentally running an install on my local instead of inside the container.
After some research (and a hand from Gemini), I found that mounting
node_modulesas a named volume keeps the host folder empty and the risk isolated:I'd appreciate your insights on this as a part of a security setup, is my understanding of volume mounting for isolation on the right track and/or are there other patterns or approaches you’d recommend instead? Thanks very much.