mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(ci): mitigate 11 upstream CVEs at source instead of suppressing
Some checks failed
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
- docker/postgres/Dockerfile: build gosu from source with Go 1.26 via
  multi-stage build (eliminates 1 CRITICAL + 5 HIGH Go stdlib CVEs)
- apps/{api,web,orchestrator}/Dockerfile: remove npm from production
  images (eliminates 5 HIGH CVEs in npm's bundled cross-spawn/glob/tar)
- .trivyignore: trimmed from 16 to 5 CVEs (OpenBao only — 4 false
  positives from Go pseudo-version + 1 real Go stdlib waiting on upstream)

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-12 17:10:44 -06:00
parent 08f62f1787
commit 3833805a93
6 changed files with 44 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/api/Dockerfile
View File

@@ -55,6 +55,10 @@ RUN pnpm turbo build --filter=@mosaic/api --force
# ======================
FROM node:20-alpine AS production
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install dumb-init for proper signal handling
RUN apk add --no-cache dumb-init