From e67727e0090dd349737a06b89db19685e362db02 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Mon, 13 Apr 2026 22:47:49 -0500
Subject: [PATCH] fix(docker): remove bundled npm from runner to eliminate
 Trivy CVE matches

The node:24-alpine base image ships /usr/local/lib/node_modules/npm which
bundles outdated minimatch, picomatch, and tar. We run the standalone Next
server with 'node server.js' at runtime and never need npm/corepack in the
runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 4038a1a..7d703df 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,6 +40,8 @@ ENV NODE_ENV=production \
 RUN addgroup -g 1001 -S nodejs && adduser -S -u 1001 -G nodejs nextjs
 RUN apk upgrade --no-cache && \
     apk add --no-cache wget && \
+    rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack \
+           /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack && \
     mkdir -p /app/media && \
     chown -R nextjs:nodejs /app
 COPY --from=build --chown=nextjs:nodejs /app/public ./public