jason.woltje/professional-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jason.woltje:fix/trivy-remove-bundled-npm
Branches Tags
jason.woltje:main jason.woltje:fix/trivy-remove-bundled-npm jason.woltje:fix/trivy-hardening jason.woltje:fix/dockerfile-public jason.woltje:feat/scaffold
..
compare: jason.woltje:fix/trivy-hardening
Branches Tags
jason.woltje:main jason.woltje:fix/trivy-remove-bundled-npm jason.woltje:fix/trivy-hardening jason.woltje:fix/dockerfile-public jason.woltje:feat/scaffold

1 Commits
fix/trivy- ... fix/trivy-

Author SHA1 Message Date
Jason Woltje
0637992723 fix(security): remediate Trivy HIGH findings on main image
All checks were successful
ci/woodpecker/pr/web Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details 
- Bump next 16.2.2 -> 16.2.3 (GHSA-q4gf-8mx6-v5v3 RSC DoS)
- pnpm overrides: minimatch>=10.2.3, picomatch>=4.0.4, tar>=7.5.11
  (CVE-2026-27903/27904, 33671, 29786, 31802)
- Dockerfile runner: apk upgrade --no-cache pulls patched openssl 3.5.6-r0
  and zlib 1.3.2-r0 before installing wget (CVE-2026-28390, 22184)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-13 22:38:03 -05:00
1 changed files with 0 additions and 2 deletions
Expand all files Collapse all files

2
Dockerfile
View File

@@ -40,8 +40,6 @@ ENV NODE_ENV=production \
RUN addgroup -g 1001 -S nodejs && adduser -S -u 1001 -G nodejs nextjs
RUN apk upgrade --no-cache && \
apk add --no-cache wget && \
rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack \
/usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack && \
mkdir -p /app/media && \
chown -R nextjs:nodejs /app
COPY --from=build --chown=nextjs:nodejs /app/public ./public