The node:24-alpine base image ships /usr/local/lib/node_modules/npm which
bundles outdated minimatch, picomatch, and tar. We run the standalone Next
server with 'node server.js' at runtime and never need npm/corepack in the
runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Personal professional website for jasonwoltje.com, built on Payload CMS 3 +
Next.js 16 and deployed to w-docker0 (Docker Swarm) behind the existing
MosaicStack edge Traefik. Establishes the delivery contract before any
scaffold work begins:
- docs/PRD.md — stack, content model, routing, design system, CI, infra,
acceptance criteria, assumptions, and escalation log
- docs/TASKS.md — milestone breakdown 0.0.1 → 0.1.0 MVP
- README.md, LICENSE (All Rights Reserved), .gitignore
- design-samples/ — stitch "Technical Editorial" mockups + DESIGN.md tokens
- images/ — source headshots (to be imported into Payload media on seed)
- .mosaic/ — orchestrator scaffolding (quality rails, repo hooks)
Scaffold (Next.js + Payload init) ships on feat/scaffold in a follow-up PR.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
