fix(docker): remove bundled npm from runner to clear Trivy CVEs #4

jason.woltje · 2026-04-14T03:48:04Z

jason.woltje commented

2026-04-14 03:48:04 +00:00

Trivy on pipeline #10 flagged HIGH CVEs in bundled by the base image (minimatch 10.2.2, picomatch 4.0.3, tar 7.5.9). Our runtime is from the standalone Next output; npm/corepack are unused at runtime.

Changes

Runner stage deletes , [1m━━━ Corepack - 0.34.6 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[38;5;256m━[38;5;255m━[38;5;254m━[38;5;253m━[38;5;252m━[38;5;251m━[38;5;250m━[38;5;249m━[38;5;248m━[38;5;247m━[38;5;246m━[38;5;245m━[38;5;244m━[38;5;243m━[38;5;242m━[38;5;241m━[38;5;240m━[38;5;239m━[38;5;238m━[38;5;237m━[38;5;236m━[38;5;235m━[38;5;234m━[38;5;233m━[0m

[1m$ [22mcorepack

[1m━━━ General commands ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[38;5;256m━[38;5;255m━[38;5;254m━[38;5;253m━[38;5;252m━[38;5;251m━[38;5;250m━[38;5;249m━[38;5;248m━[38;5;247m━[38;5;246m━[38;5;245m━[38;5;244m━[38;5;243m━[38;5;242m━[38;5;241m━[38;5;240m━[38;5;239m━[38;5;238m━[38;5;237m━[38;5;236m━[38;5;235m━[38;5;234m━[38;5;233m━[0m

[1mcorepack cache clean[22m
Cleans Corepack cache

[1mcorepack disable [--install-directory #0] ...[22m
Remove the Corepack shims from the install directory

[1mcorepack enable [--install-directory #0] ...[22m
Add the Corepack shims to the install directory

[1mcorepack install[22m
Install the package manager configured in the local project

[1mcorepack install <-g,--global> [--cache-only] ...[22m
Install package managers on the system

[1mcorepack pack [--json] [-o,--output #0] ...[22m
Store package managers in a tarball

[1mcorepack up[22m
Update the package manager used in the current project

[1mcorepack use [22m
Define the package manager to use for the current project

You can also print more details about any of these commands by calling them with
the [36m-h,--help[39m flag right after the command name., and the matching shims.

Clears CVE-2026-27903/27904/33671/29786/31802.

Test plan

PR pipeline lint/typecheck/build green
On merge: Kaniko builds, Trivy HIGH/CRITICAL clean, link-package succeeds

Trivy on pipeline #10 flagged HIGH CVEs in bundled by the base image (minimatch 10.2.2, picomatch 4.0.3, tar 7.5.9). Our runtime is from the standalone Next output; npm/corepack are unused at runtime. ## Changes - Runner stage deletes , [1m━━━ Corepack - 0.34.6 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[38;5;256m━[38;5;255m━[38;5;254m━[38;5;253m━[38;5;252m━[38;5;251m━[38;5;250m━[38;5;249m━[38;5;248m━[38;5;247m━[38;5;246m━[38;5;245m━[38;5;244m━[38;5;243m━[38;5;242m━[38;5;241m━[38;5;240m━[38;5;239m━[38;5;238m━[38;5;237m━[38;5;236m━[38;5;235m━[38;5;234m━[38;5;233m━[0m [1m$ [22mcorepack <command> [1m━━━ General commands ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[38;5;256m━[38;5;255m━[38;5;254m━[38;5;253m━[38;5;252m━[38;5;251m━[38;5;250m━[38;5;249m━[38;5;248m━[38;5;247m━[38;5;246m━[38;5;245m━[38;5;244m━[38;5;243m━[38;5;242m━[38;5;241m━[38;5;240m━[38;5;239m━[38;5;238m━[38;5;237m━[38;5;236m━[38;5;235m━[38;5;234m━[38;5;233m━[0m [1mcorepack cache clean[22m Cleans Corepack cache [1mcorepack disable [--install-directory #0] ...[22m Remove the Corepack shims from the install directory [1mcorepack enable [--install-directory #0] ...[22m Add the Corepack shims to the install directory [1mcorepack install[22m Install the package manager configured in the local project [1mcorepack install <-g,--global> [--cache-only] ...[22m Install package managers on the system [1mcorepack pack [--json] [-o,--output #0] ...[22m Store package managers in a tarball [1mcorepack up[22m Update the package manager used in the current project [1mcorepack use <pattern>[22m Define the package manager to use for the current project You can also print more details about any of these commands by calling them with the [36m`-h,--help`[39m flag right after the command name., and the matching shims. - Clears CVE-2026-27903/27904/33671/29786/31802. ## Test plan - [ ] PR pipeline lint/typecheck/build green - [ ] On merge: Kaniko builds, Trivy HIGH/CRITICAL clean, link-package succeeds

jason.woltje added 1 commit 2026-04-14 03:48:04 +00:00

fix(docker): remove bundled npm from runner to eliminate Trivy CVE matches

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/pr/web Pipeline was successful

Details

e67727e009

The node:24-alpine base image ships /usr/local/lib/node_modules/npm which
bundles outdated minimatch, picomatch, and tar. We run the standalone Next
server with 'node server.js' at runtime and never need npm/corepack in the
runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

jason.woltje merged commit 6db28bc81f into main

2026-04-14 03:49:54 +00:00

jason.woltje referenced this issue from a commit

2026-04-14 03:49:55 +00:00

fix(docker): remove bundled npm from runner to clear Trivy CVEs (#4)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: jason.woltje/professional-website#4