fix(docker): remove bundled npm from runner to eliminate Trivy CVE matches

The node:24-alpine base image ships /usr/local/lib/node_modules/npm which bundles outdated minimatch, picomatch, and tar. We run the standalone Next server with 'node server.js' at runtime and never need npm/corepack in the runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 22:47:49 -05:00
1 changed files with 2 additions and 0 deletions
--- a/2
+++ b/2
@@ -40,6 +40,8 @@ ENV NODE_ENV=production \
 RUN addgroup -g 1001 -S nodejs && adduser -S -u 1001 -G nodejs nextjs
 RUN apk upgrade --no-cache && \
    apk add --no-cache wget && \
+    rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack \
+           /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack && \
    mkdir -p /app/media && \
    chown -R nextjs:nodejs /app
 COPY --from=build --chown=nextjs:nodejs /app/public ./public