chore: add openssh-sftp-server, procps, and tar@7.5.11 to base image

drew · drew · commit f96f3fea6836 · 2026-03-12T09:55:50.000-07:00
Incorporates changes from PR #22: - openssh-sftp-server and procps are required for VS Code / Cursor remote SSH connections (SFTP file transfer, process inspection) - tar@7.5.11 in the base image fixes 6 CVEs at the earliest layer
diff --git a/sandboxes/base/Dockerfile b/sandboxes/base/Dockerfile
@@ -31,6 +31,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         iputils-ping \
         net-tools \
         netcat-openbsd \
+        openssh-sftp-server \
+        procps \
         software-properties-common \
         traceroute \
     && add-apt-repository -y ppa:deadsnakes/ppa \
@@ -60,6 +62,11 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
         nano \
     && rm -rf /var/lib/apt/lists/*
 
+# Fix transitive tar vulnerabilities (GHSA-qffp-2rhf-9h96,
+# GHSA-9ppj-qmqm-q256, GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w,
+# GHSA-34x7-hfp2-rc4v, GHSA-83g3-92jg-28cx).
+RUN npm install -g tar@7.5.11
+
 # GitHub CLI
 RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
         -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \
