Allow local bundles for custom engines/plugins

[sirdodger]

npm suffers from ongoing security issues from vulnerabilities being injected into existing packages. Currently, there is no way to run a custom engine on Fargate without fetching that package from npm.

Allowing a locally bundled engine would solve this problem by only allowing trusted code.

[hassy]

Will need to take a look at what needs to be done to support local bundles for custom engines/plugins.

We're already working on adding support for using pnpm to install dependencies in Fargate workers.

[hassy]

If you're using a private npm proxy (e.g. Artifactory or Verdaccio) there's a way to use that as well, either by bundling an .npmrc file with your test, or by setting NPM_REGISTRY, NPM_TOKEN, and NPM_SCOPE environment variables inside workers (with --env-file if they're in a dotenv file, or --secret to use AWS Parameter Store secrets).

[sirdodger]

Thank you, that is all helpful information!