jason.woltje/professional-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(docker): remove bundled npm from runner to eliminate Trivy CVE matches
All checks were successful
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/pr/web Pipeline was successful
Details

Browse Source 
The node:24-alpine base image ships /usr/local/lib/node_modules/npm which
bundles outdated minimatch, picomatch, and tar. We run the standalone Next
server with 'node server.js' at runtime and never need npm/corepack in the
runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-04-13 22:47:49 -05:00
parent 261c0019bb
commit e67727e009
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@@ -40,6 +40,8 @@ ENV NODE_ENV=production \
RUN addgroup -g 1001 -S nodejs && adduser -S -u 1001 -G nodejs nextjs
RUN apk upgrade --no-cache && \
apk add --no-cache wget && \
rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack \
/usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack && \
mkdir -p /app/media && \
chown -R nextjs:nodejs /app
COPY --from=build --chown=nextjs:nodejs /app/public ./public