From 6db28bc81fb0c8257d2931adf7c2e2c4b4535529 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Tue, 14 Apr 2026 03:49:54 +0000
Subject: [PATCH] fix(docker): remove bundled npm from runner to clear Trivy
 CVEs (#4)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 4038a1a..7d703df 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,6 +40,8 @@ ENV NODE_ENV=production \
 RUN addgroup -g 1001 -S nodejs && adduser -S -u 1001 -G nodejs nextjs
 RUN apk upgrade --no-cache && \
     apk add --no-cache wget && \
+    rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack \
+           /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack && \
     mkdir -p /app/media && \
     chown -R nextjs:nodejs /app
 COPY --from=build --chown=nextjs:nodejs /app/public ./public