Remediate insecure npm usage in Docker image (#8786)

* Remediate insecure npm usage in Docker image

* No -am

Author: joehan

scripts/publish.sh

@@ -92,10 +92,14 @@ echo "Publishing to npm..."
 npx [email protected] --before-script ./scripts/clean-shrinkwrap.sh
 echo "Published to npm."
 
+echo "Updating package-lock.json for Docker image..."
+npm --prefix ./scripts/publish/firebase-docker-image install
+echo "Updated package-lock.json for Docker image."
+
 echo "Cleaning up release notes..."
 rm CHANGELOG.md
 touch CHANGELOG.md
-git commit -m "[firebase-release] Removed change log and reset repo after ${NEW_VERSION} release" CHANGELOG.md 
+git commit -m "[firebase-release] Removed change log and reset repo after ${NEW_VERSION} release" CHANGELOG.md scripts/publish/firebase-docker-image/package-lock.json
 echo "Cleaned up release notes."
 
 echo "Pushing to GitHub..."

scripts/publish/firebase-docker-image/Dockerfile

@@ -3,9 +3,20 @@ FROM node:lts-alpine AS app-env
 # Install Python and Java and pre-cache emulator dependencies.
 RUN apk add --no-cache python3 py3-pip openjdk11-jre bash && \
     apk update && \
-    apk upgrade && \
-    npm install -g firebase-tools && \
-    firebase setup:emulators:database && \
+    apk upgrade
+
+
+RUN mkdir -p /usr/local/node_packages/
+COPY package.json /usr/local/node_packages/
+COPY package-lock.json /usr/local/node_packages/
+
+WORKDIR /usr/local/node_packages/
+RUN npm install
+ENV PATH="/usr/local/node_packages/node_modules/.bin:${PATH}"
+
+WORKDIR /
+
+RUN firebase setup:emulators:database && \
     firebase setup:emulators:firestore && \
     firebase setup:emulators:pubsub && \
     firebase setup:emulators:storage && \