fix(docker): remove bundled npm from runner to clear Trivy CVEs #4

Merged

jason.woltje merged 1 commits from fix/trivy-remove-bundled-npm into main

2026-04-14 03:49:54 +00:00

Author	SHA1	Message	Date
Jason Woltje	e67727e009	fix(docker): remove bundled npm from runner to eliminate Trivy CVE matches All checks were successful ci/woodpecker/push/web Pipeline was successful Details ci/woodpecker/pr/web Pipeline was successful Details The node:24-alpine base image ships /usr/local/lib/node_modules/npm which bundles outdated minimatch, picomatch, and tar. We run the standalone Next server with 'node server.js' at runtime and never need npm/corepack in the runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-13 22:47:49 -05:00

Author

SHA1

Message

Date

Jason Woltje

e67727e009

fix(docker): remove bundled npm from runner to eliminate Trivy CVE matches

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/pr/web Pipeline was successful

Details

The node:24-alpine base image ships /usr/local/lib/node_modules/npm which
bundles outdated minimatch, picomatch, and tar. We run the standalone Next
server with 'node server.js' at runtime and never need npm/corepack in the
runner, so delete them entirely. Clears CVE-2026-27903/27904/33671/29786/31802.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-13 22:47:49 -05:00

fix(docker): remove bundled npm from runner to clear Trivy CVEs #4

1 Commits